Monday, July 7, 2008

Packet Freagmentation Attack against Firewalls

For those who dont know what is packet fragmentation: you dont belong here, Dont read this article.

Legal Bullshit
This artical is provided for general informational purposes only, without warranty, either expressed or implied. How you use this information is upto you and author is not liable for that.
(F*ing B@$# S**t)

As we know due to differnet MTU (Maximum Transmission Unit) size in the different networks the TCP/IP packets need to be fragmented some times.
If you are RFC junky then RFC 791 - Internet Protocol is reffernce for you.

3 fields are involved in the fragmentation Identification,Flags,Fragment Offset

1. Identification: 16 bits

An identifying value assigned by the sender to aid in assembling the fragments of a datagram.

2. Flags: 3 bits

Various Control Flags.

Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
0 1 2
| | D | M |
| 0 | F | F |

3. Fragment Offset: 13 bits

This field indicates where in the datagram this fragment belongs.

The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero.

Bellow is the idea of how packet fragmentation can be used to get around rules in some firewalls. To do this the main idea is to set the offset of the second packet is so low that the second packet will actually overlap on the first packet and the data of the first packet will be overwritten.

For Example.
Suppose there is a firewall rule that only allows port 80 to be connected from internet to inside server and say you want to do a ssh (port 22) connectoin to that server.
Then the first packet would be sent to the server with the port number 80 and
with the DF bit = 0 (May Fragment) and the MF bit = 1 (More Fragments). Since the firewall is configured to allow the port 80 connection it will allow this packet.

The second packet should be sent with the DF bit=0 and MF bit =0 (Last Fragment), port will be 22 and the Fragment Offset is given as 1. This will over write the first packet except the first 1byte(8bits) of the packet.

This second packet will be accepted by the firewall since it is part of the first packet and first packet has been already accepted by the firewall. So final assembled packet will have port 22. This packet will be forwarded to the server's port 22 this way.

No comments: