In this article we will learn about Bypassing Packet Filters with IP Fragmentation Overlapping.
1.Introduction[Bypassing Packet Filters]
The process of IP fragmentation occurs when network layer data is too large to be transmitted across the data link layer in one piece. Then the network layer data is divided into several parts (fragments), and this process is called IP fragmentation. The intent of this article is to present how an attacker could use IP fragmentation to bypass packet filters (overlapping IP fragmentation attack). Finally, it is shown how this attack can be prevented by stateful checking.
2.Understanding IP fragmentation
Two layers of the OSI model are of particular interest when discussing IP fragmentation—Layer 3 (Network) and Layer 2 (Data Link). Network layer data is called a datagram and link layer data is called a frame. From a data flow perspective – a datagram is incorporated into a frame (encapsulation) and is sent to the receiver over a physical medium in the form of ones and zeros (physical layer – layer 1 of the OSI model).
It may happen that the network layer data may be too large to be sent over the data link layer in one piece. Then you need to break it up. How much data can be sent in one frame? MTU (Maximum Transmission Unit) is defined – for example, MTU is 1500 bytes for Ethernet, which is commonly used at the data link layer.
Now let’s describe how IP fragmentation actually works. We need some indication that the fragments belong to the specified datagram (please remember that these fragments have to be reassembled by the recipient later). An identification number is used for this purpose – the same value is used for all fragments that result from datagram fragmentation. These fragments need to be reassembled into the original datagram, but how should they be reassembled (fragment order)? An offset is used for this purpose. How does the receiver know the number of fragments? The MF (More Fragments) flag is used here. When the MF flag is set, the system knows that another fragment is expected. The last fragment is the fragment without the MF flag.
To summarize: the sender chooses a datagram size that is no larger than the MTU of the connected network medium and then the IP fragmentation process is delegated to routers that connect different network media with different MTUs.
There is also another approach to IP fragmentation – Path MTU Discovery. The idea is that the sender sends a probe datagram with the DF (Don’t Fragment) flag set. If the router receives this probe datagram and sees that it is larger than the MTU of the connected network media, then a problem arises – the router must fragment it, but the probe datagram is said not to be fragmented. Then a message about this problem is sent to the sender, who interprets the response and knows that the datagram must be smaller to avoid fragmentation on the way to the recipient.
The sender wants to know how big a datagram can be to avoid fragmentation by routers. Therefore, this process is called Path MTU Discovery, and the fragmentation in this approach is delegated to the sender. The problem with this approach is that the probe datagram may have been sent over a different path than subsequent datagrams. As a result, it may turn out that the smallest MTU discovered by the sender is not actually the smallest for other datagrams, and fragmentation performed by routers will still be needed.
What happens when a fragment is lost? Retransmission occurs when TCP is used at layer 4 of the OSI model (transport layer).
3.Overlapping IP fragmentation
Suppose that the packet filter only allows connections to port 80, but an attacker wants to connect to port 23. Although the packet filter is configured to block connections to port 23, the attacker can try to use overlapping IP fragmentation to bypass the packet filter and eventually connect to this port.
This attack works as follows. A packet filter can be implemented so that the first fragment is checked according to the implemented rules – when a connection to port 80 is seen, the packet filter accepts this fragment and forwards it to the receiver. In addition, the packet filter may assume that other fragments contain only data, and this is not interesting from its point of view. As a result, the packet filter forwards more fragments to the receiver.
At this point, recall that reassembly occurs when the fragments arrive at the receiver. The next fragment (as said – passed by the packer filter) could have been specially prepared by the attacker – a carefully chosen offset was used to overwrite the target port value from the first fragment. The receiver waits for all the fragments, reassembles them, and finally establishes a connection to the attacker’s chosen port.
Here, the packet filter is assumed to look at the first fragment that has all the necessary information to decide whether to pass or reject the fragment – the other fragments are assumed to have no interesting data (from the packet filter’s point of view) and are just passed.
Related article:PaYpal balance with bank logs carding method 2023
How could we solve this problem? If the packet filter reassembled the fragments before making a decision (forward or reject), the attacker would be stopped. As we can see, this approach is about understanding the state or context of traffic and is called stateful inspection (as opposed to the previously described packet filter, which is stateless).
IP fragmentation occurs when network layer data is too large to be sent across the data link layer in one piece. It was shown how IP fragmentation can be used to bypass the packet filter (overlapping IP fragmentation attack) and how stateful inspection can prevent this attack.