Fragmentation Considered Vulnerable Yossi Gilad & Amir Herzberg - - PowerPoint PPT Presentation

Fragmentation Considered Vulnerable

Yossi Gilad & Amir Herzberg

Computer Science Department, Bar Ilan University

Overview

 IP fragmentation recap  `Easy case’ fragment miss-association attacks  Fragmentation attacks in tunnels  Conclusions

IP Fragmentation - Recap

 Today: attacks on IP fragmentation

 Blind (spoofing only) attacker  Interception and DoS attacks.

 The Internet is a diverse network

 Different Maximal Transmission Units (MTUs) on

different links/nets

 What if |long-pkt|>MTU?

Router

Alice

Router (fragment)

LongPkt

Router Defragment MTU

LongPkt

IP Fragmentation - Recap

 Solution 1: Path MTU discovery (PMTUd)

 Discard oversized pkt, inform sender (via ICMP)  Requires connection

 Solution 2: IP fragmentation

 ‘Break’ long pkt into fragments (|frag|<MTU)  Fragment at: any node (IPv4) / only src (IPv6)  Defragment: only at destination

 According to: source, destination, protocol & frag ID

Router

Alice

Router (fragment)

LongPkt

Router

Long Pkt Long Pkt Long Pkt LongPkt

Bob (Defragment) MTU

‘Fragmentation considered Harmful’

 IP fragmentation is conceptually easy, but…

 Wasteful/harmful [KentMogul87]  Complexities: may arrive late or out of order, overlap  How much storage? How long keep fragments in

cache?

 But: still often used

 PMTUd often fails (for UDP, no ICMP feedback,…)  Fragmentation is common in UDP and tunneled traffic

[Shannon02]

‘Fragmentation considered Harmful’

 Implementation vulnerabilities:

 Memory allocation DoS attacks: TearDrop, Rose…  Tiny fragment evasion of firewalls

 Specification vulnerabilities:

 Fragment cache overflow attack [KPS03]  Zalewski (2003) notes that fragmented TCP traffic

can be vulnerable to (blind) TCP injections

 Fragment mis-association attack [M04,rfc4963]

Fragment Misassociation Attack

HDR+1480B (ID=x) HDR+500B, ID=x, offset=980

Fragment mis-association attack: Send fake 2nd frag with same ID…

MTU= 1000B MTU= 1500B HDR+980B, ID=x, offset=0

But, |cache|<<#frags (drop%<<1%)

SrcIP=Alice, Dst=Bob, ID=1, Offset=980, MF=0 SrcIP=Alice, Dst=Bob, ID=2, Offset=980, MF=0 …. SrcIP=Alice, Dst=Bob, ID=b, Offset=980, MF=0 (if x≤b) (stays in cache till timeout or kills next ID=x frg)

What if…

 Frag mis-association has low drop rate  What if attacker can find the `next’ ID?

 Trivial to `kill’ packet (DoS)  Can also `inject’ a fragment

 Need to fix checksum  Checksum can be disabled for UDP

 How is the IP ID chosen (by the sender)?

 Usually a counter – this is specifically

recommended by IPv6 specification

 Two main approaches:

 Global counter (Windows)  Per-destination counter (Linux)

Sometimes, ID Exposing Is Easy

 When the sender uses a global identifier

 Just by observing any packet from the sender

 When the attacker has a zombie behind the

NAT with the destination

 Can also intercept fragments! 

Rewrite transport layer header

Sometimes, ID Exposing Is Easy

Intercepting fragments

SrcIP=Alice, DstIP=NAT, ID=i+1, Offset=1480, MF=0

• A. Src-IP=Alice, Dst-IP=NAT,

ID=i+1, Offset=0, MF=1, Dst-port: Bob’s

• B. SrcIP=Alice, DstIP=NAT,

ID=i+1, Offset=1480, MF=0 discarded SrcIP=Alice, DstIP=NAT, ID=i+1, Offset=0, MF=1, Dst-port: Zombie’s, No chksum Defrag & forward to Zombie mis-associated with Alice frag. B cached

Fragment Interception: Results

 Results for IP tables based NAT

80.00% 82.00% 84.00% 86.00% 88.00% 90.00% 92.00% 20 40 60 80 100

Fragment interception ratio Attacker's bandwidth mbit/sec 1024 fragments are in the cache 64 fragments are in the cache

Other Cases?

 Can similar attacks apply when sender

uses per-destination IP-IDs?

 Easy: if there is NAT (shown before)

 What if there is no NAT?  Yes!

 For a tunnel scenario

ID Exposing Attack

 Alice and Bob are connected via a tunnel  Main difference from NAT scenario:

 Packets `on the Internet’ have a different IP header 

Adversarial agent, PuZo, can not `see’ the `Internet’ ID

 Improved motivation: fragmentation is common

in tunnels

 In talk: Zombie (to receive raw IP packet)

 In paper: Puppet (running in sandbox)

ID Exposing Attack

 Use packet loss as a side channel to identify the

current ID within the tunnel

 We assume no benign traffic or packet loss

 Full version shows how to deal with those

ID Exposing Attack – Basic Version

GWA GWB PuZo S

Get File

Mis- associated

Begin

ID Exposing Attack – Basic Version

GWA GWB PuZo S .

. .

.

. .

.

. .

.

. .

ID Exposing Attack - Meet in the Middle

 But… if n is the number of possible identifiers,

this attack requires to send O(n) packets.

 216 for IPv4, for 232 IPv6

 Revise with meet in the middle technique

ID Exposing Attack - Meet in the Middle

 Send fragments  lay traps  Narrow the search space to

 Detect loss  assume `ID hit’ (frag. mis-association)

 Exhaustive search over all remaining IDs  Reduced number of packets to O( )

 Also feasible for IPv6 (n = 232)

n n n n

Continual Deny & Expose

 Mal has the current ID

 Goal: deny fragmented traffic

 Main Difficulty: maintain synchronization

with current IP ID

 Incremented for every packet (regardless of

arrival/loss)

Continual Deny & Expose

 Basic idea: use PuZo to `monitor’ IP ID

progress

 Send two sequences of spoofed fragments with

consecutive IDs

 Small `gap’ of unset IDs between them  PuZo makes a periodic request for data  Response arrives  ID within the gap  Send the next sequence

Continual Deny & Expose - Results

 Success depends on the number of forged

fragment attacker can `cache in’

 Usually 64 or no limitation (except cache size, 6500+)

90.00% 91.00% 92.00% 93.00% 94.00% 95.00% 96.00% 97.00% 98.00% 99.00% 100.00% 20 40 60 80 100 Loss Rate Attacker's bandwidth Mbit/sec Open source, 256 Open source, 64 Commercial, 256 Commercial, 64

Conclusions

 Fix IP ID

 Add appropriate defenses to network firewalls,

IDS/IPS

 Need to improve specification of networking

protocols

 Need to develop validation techniques

 Further motivation for [Gont11]

Questions?