Nine InfoSec Courses at SANS Chicago 2017. Save $200 thru July 19.

IDFAQ: Can fragments help attackers evade detection?

IP fragments are a certain type of IP packets that are not sent at once but in multiple parts. The destination or target system has to reassemble the pieces into an IP packet. There are legitimate reasons why fragmentation can (and must) occur. One example of the legitimate uses of IP fragments is for a router that connects networks with different MTU's. It has no choice but to create IP fragments (eg. FDDI -> ethernet transition). Excessive fragmenting however, could be a serious warning you have a problem.

There is a detailed paper on this issue available:
  • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, T. Ptacek and T. Newsham, Secure Networks, January 1998.
Any host, network device or Intrusion Detection System may deal with IP fragments in the following ways:
  • Discard the fragments. Since there is legitimate use for IP fragments this is not the best general solution. For intrusion detection systems it is advisable that they should examine these packets. When shopping for intrusion detection systems be certain to find out if they support packet reassembly.
  • Letting the IP fragments flow to the final destination without trying to make a whole packet out of it. Typical example of this is what a router does (means the router cannot (always) look at the TCP headers and therefore not do proper filtering ...). You should check your filtering routers, especially if they are your only line of defense.
  • The device can try to reassemble IP fragments into packets. Destination hosts have no choice but to do this. This is the only way for filtering or ID systems to get to the actual contents, or even to the full TCP headers. Since there are no guarantees about order of arrival and since storing fragments until the IP packets are complete consumes resources, there is a chance for a denial of service or for not being able to catch all the IP fragments.
There are tools to generate IP fragments in order to evade access control in filtering devices and to flow unnoticed by intrusion detection systems. One of these tools is the fragrouter released by Anzen Computing and can be found at nidsbench.( http://www.anzen.com/nidsbench/)

We expect an increase in attacks using IP fragments as more of these tools become available to the (would be) hacker community.

Swa Frantzen
What is nmap and what does it do?
 
What was the Ring Zero scan?
IDFAQ: Can fragments help attackers evade detection?
Get a MacBook Air with Online Training
Latest Whitepapers

Securing Industrial Control Systems-2017
By Bengt Gregory-Brown

Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement
By Shaun McCullough

Loki-Bot: Information Stealer, Keylogger, & More!
By Rob Pantazopoulos

Last 25 Papers »

Latest Tweets @SANSInstitute

Understand attackers' tactics & strategies in detail wit [...]
July 13, 2017 - 4:50 PM

Newly discovered #cyberattack vectors, vulnerabilities with [...]
July 13, 2017 - 4:45 PM

Limited Time MacBook Air Special Offer | Training on Your Te [...]
July 13, 2017 - 4:02 PM

Contact Us

301-654-SANS(7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage