Malicious IP Fragmentation

Gary Hoffman
PortUnreachable
Published in
4 min readOct 11, 2017

If you read my previous blog article on IP Fragmentation, you should be fully versed on what it is and how it works. Although fragmentation is a normal event, it can be leveraged for malicious use so security analysts should be wary of all fragmented traffic.

A great example of this is using fragmented TCP headers to perform a stealth scan in order to identify open ports on a target host. A conventional port scan would be seen by intrusion detection systems (IDS) but sending TCP headers in multiple fragments might pass undetected. Let’s take the following NMAP command as an example:

nmap -f -sS -p 53 myserver.com

The above command sends a fragmented SYN connection to port 53 of myserver.com generating the following TCPdump output:

truncated-tcp 16 (frag 25169 : 16@0+)

client.com > myserver.com : (frag 25169: 4@16)

Although we know a SYN connection to port 53 was sent, this is not evident from the output provided. The first fragment is only 16 bytes, which is less than the 20 byte minimum TCP header size and is reported as truncated-tcp with the MF flag set. The additional 4 bytes TCP header are then sent in fragment 2 with an offset of 16. It’s very possible that an IDS will not capture or detect this type of stealth scan as its not evident what it is.

Overlapping fragments are another great example of malicious use and can be used to evade IDS or perform denial of service (DoS) attacks. The following output from TCPdump provides an example of this abnormal behaviour:

client.com.25351 > myserver.com.139: udp 28 (frag 254: 36@0+)

client.com > myserver.com: (frag 254 : 4@24)

As you can see from the above output, the 2nd fragment size is 4 bytes with an offset value of 24, but the size of the 1st fragment is 36 bytes so there is an overlap which is shown below:

An attacker could easily craft a malicious payload that can evade an IDS and fully infect the destination host once reassembled. By sending part of the payload in fragments along with random data, future fragments overlap the random data with the remaining payload and remain undetected by an IDS.

Overlapping fragments can also be used to permit traffic through a packet filtering device that would normally be blocked. Note from my first article that only the initial fragment contains the protocol header where all subsequent fragments do not. By crafting an initial fragment with destination port of HTTP this is likely to be permitted through a firewall. The second fragment is crafted to overlap the initial and change the destination port to Telnet. As there is no protocol header within the second fragment, the firewall assumes this is data and permits the packet. Upon reassembly of the datagram, the destination port has been rewritten to Telnet which would normally have been denied at the firewall.

Some hosts do not respond well to receiving fragmented traffic which was seen with the Teardrop attack on older operating systems. Vulnerable hosts were unable to correctly reassemble the original datagram resulting in a system crash and DoS event. This was due to an underlying bug within the TCP/IP reassembly code.

Another DoS condition can occur when system resources are consumed with packet reassembly as seen with Jolt2. The CPU of a target host in this situation would hit 100% utilisation until the malformed packets cease to be received. An example of this condition seen within TCPdump is shown below. An endless stream of non-zero duplicate fragment offsets are sent to the target host which is then overwhelmed with packet reassembly exhausting CPU and memory.

attacker.com > target.com: (frag 1109 : 9@65520)

attacker.com > target.com: (frag 1109 : 9@65520)

attacker.com > target.com: (frag 1109 : 9@65520)

attacker.com > target.com: (frag 1109 : 9@65520)

attacker.com > target.com: (frag 1109 : 9@65520)

attacker.com > target.com: (frag 1109 : 9@65520)

Although packet filtering devices and IDS can correctly maintain state and reassemble fragments, security analysts should still be mindful of fragmented traffic and the serious impact it can have upon your infrastructure.

--

--

Gary Hoffman
PortUnreachable

Crypto currency enthusiast & amateur investor #bitcoin | Passive Income degen #cryptocurrency