IP Fragmentation Exploits
This one is really interesting but for a full article and a brief explanation of
Fragmentation process visit original article at here:
Network security and IP Fragmentation vulnerabilities and attacks
1- IP fragment overlapped
This exploit identified when two fragments contained
within the same IP datagram have offsets that indicate that they share
positioning within the datagram. This could mean that fragment A is
being completely overwritten by fragment B, or that fragment A is
partially being overwritten by fragment B. Some operating systems do
not properly handle fragments that overlap in this manner and may
throw exceptions or behave in other undesirable ways upon receipt of
overlapping fragments. This is the basis for the so called teardrop
Denial Of Service Attacks.
2- IP Fragmentation Buffer Full
This exploit identified when there is an
extraordinary amount of incomplete fragmented traffic detected on
the protected network. This could be due to an excessive number of
incomplete fragmented datagrams, a large number of fragments for
individual datagrams or a combination of quantity of incomplete
datagrams and size/number of fragments in each datagram. This
type of traffic is most likely an attempt to bypass security measures
or Intrusion Detection Systems by intentional fragmentation of attack
activity.
3- IP Fragment Overrun - Datagram Too Long
This exploit identified when a reassembled fragmented datagram
would exceed the declared IP data length or the maximum datagram
length. By definition, no IP datagram should be larger than 65,535
bytes. Systems that try to process these large datagrams may crash.
This type of fragmented traffic may be indicative of a denial of
service attempt.
4- IP Fragment Overwrite - Data is Overwritten
Overlapping fragments may be used in an attempt to
bypass Intrusion Detection Systems. In this scenario, part of an
attack is sent in fragments along with additional random data; future
fragments may overwrite the random data with the remainder of the
attack. If the completed datagram is not properly reassembled at the
IDS, the attack will go undetected. Triggers when a fragment overlap
occurs which results in existing data being overwritten.
5- IP Fragment Too Many Datagrams
This exploit identified when there is an excessive
number of incomplete fragmented datagrams detected on the
network. This is most likely either a denial of service attack or an
attempt to bypass security measures.
6- IP Fragment Incomplete Datagram
when a datagram can not be fully
reassembled due to missing data. This may indicate a denial of
service attack or an attempt to defeat packet filter security policies.
7- IP Fragment Too Small
when any fragment other than the final
fragment is less than 400 bytes, indicating that the fragment is likely
intentionally crafted. Small fragments may be used in denial of
service attacks or in an attempt to bypass security measures or
detection.
Also >low level network programming might be interesting for you.
Tuesday, July 24, 2007
Subscribe to:
Posts (Atom)