Bypassing Packet Filters with IP Fragmentation Overlapping

Dawid Czagan
April 20, 2015 by
Dawid Czagan

1. Introduction

The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation. The intention of this article is to present how IP fragmentation could be used by the attacker to bypass packet filters (IP fragmentation overlapping attack). Finally, it is shown how this attack can be prevented by stateful inspection.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

2. Understanding IP fragmentation

Two layers of the OSI model are specially interesting when IP fragmentation is discussed – layer 3 (network) and layer 2 (data link). Data of the network layer is called a datagram and data of the data link layer is called a frame. From the data flow perspective – the datagram becomes included in the frame (encapsulation) and is sent to the receiver via the physical medium in the form of ones and zeros (physical layer - layer 1 of the OSI model).

It may occur that the data of the network layer might be too large to be sent over the data link layer in one piece. Then it needs to be fragmented. How much data can be sent in one frame? It is defined by the MTU (Maximum Transmission Unit) - for example MTU is 1500 bytes for the Ethernet, which is commonly used at the data link layer.

Let's describe now how IP fragmentation actually works. We need some indication that the fragments belong to the specified datagram (please keep in mind that these fragments need to be reassembled later by the receiver). For this purpose the identification number is used – the same value is used for all fragments that are created as a result of the datagram's fragmentation. These fragments need to be reassembled to the original datagram, but how should they be reassembled (order of fragments)? Offset is used for this purpose. How does the receiver know the number of fragments? Here the flag MF (More Fragments) is used. When MF flag is set, the system knows that the next fragment is expected. The last fragment is the one without MF flag.

To summarize: the sender chooses the size of datagram that is not greater than the MTU of attached network medium and then the process of IP fragmentation is delegated to the routers, which connect different network media with different MTUs.

There is also another approach to IP fragmentation – Path MTU Discovery. The idea is that the sender sends a probe datagram with DF (Don't Fragment) flag set. If the router gets this probe datagram and sees that it is larger than the MTU of the attached network medium, then the problem occurs – the router has to fragment it, but the probe datagram is said not to be fragmented. Then the message about this problem is sent to the sender who interprets the answer and knows that the datagram needs to be smaller to avoid fragmentation on the way to the receiver. The sender wants to find out how large the datagram can be to avoid fragmentation by the routers. That's why this process is called Path MTU Discovery and fragmentation in this approach is delegated to the sender. The problem with this approach is that the probe datagram might have been sent via different route than the next datagrams. As a consequence, it may turn out that the smallest MTU discovered by the sender is actually not the smallest one for the next datagrams, and the fragmentation done by routers will still be needed.

What happens when the fragment is lost? The retransmission occurs when TCP is used at the layer 4 of the OSI model (transport layer).

3. IP Fragmentation Overlapping

Let's assume that the packet filter allows only the connections to port 80, but the attacker wants to connect to port 23. Although the packet filter is configured to block the connections to port 23, the attacker might try to use IP fragmentation overlapping to bypass the packet filter and finally connect to this port.

This attack works as follows. The packet filter might be implemented in the way that the first fragment is checked according to the implemented rules – when the connection to port 80 is seen, the packet filter accepts this fragment and forwards it to the receiver. Moreover, the packet filter may assume that the next fragments just include the data, and this is not interesting from its point of view. As a consequence, the packet filter forwards the next fragments to the receiver.

Recall at this point that the reassembling occurs when the fragments arrive to the receiver. The next fragment (as it has been said – forwarded by the packer filter) might have been specially prepared by the attacker - the carefully chosen offset has been used to overwrite the value of the destination port from the first fragment. The receiver waits for all fragments, reassembles them, and finally the connection to port of the attacker's choice is established.

The assumption here is that the packet filter looks at the first fragment that has all the necessary information to make a decision about forwarding or denying the fragment – the other fragments are assumed not to have interesting data (from packet filter's point of view) and are just forwarded.

How could we solve this problem? If the packet filter reassembled the fragments before making a decision (forward or deny), then the attacker would be stopped. As we can see this approach is about understanding the state or context of the traffic and is called stateful inspection (in contrast to the previously described packet filter that is stateless).

4. Summary

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

IP fragmentation occurs when the data of the network layer is too large to be sent over the data link layer in one piece. It was presented how IP fragmentation can be used to bypass packet filter (IP fragmentation overlapping attack) and how stateful inspection can prevent this attack.

Dawid Czagan
Dawid Czagan

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).