Intrusion Detection FAQ: What are IP fragments and can they affect my intrusion detection capability?

IP fragments are a certain type of IP packets that are not sent at once but in multiple parts. The destination or target system has to reassemble the pieces into an IP packet. There are legitimate reasons why fragmentation can (and must) occur. One example of the legitimate uses of IP fragments is for a router that connects networks with different MTU's. It has no choice but to create IP fragments (eg. FDDI -> ethernet transition). Excessive fragmenting however, could be a serious warning you have a problem.

There is a detailed paper on this issue available:
  • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, T. Ptacek and T. Newsham, Secure Networks, January 1998.
Any host, network device or Intrusion Detection System may deal with IP fragments in the following ways:
  • Discard the fragments. Since there is legitimate use for IP fragments this is not the best general solution. For intrusion detection systems it is advisable that they should examine these packets. When shopping for intrusion detection systems be certain to find out if they support packet reassembly.
  • Letting the IP fragments flow to the final destination without trying to make a whole packet out of it. Typical example of this is what a router does (means the router cannot (always) look at the TCP headers and therefore not do proper filtering ...). You should check your filtering routers, especially if they are your only line of defense.
  • The device can try to reassemble IP fragments into packets. Destination hosts have no choice but to do this. This is the only way for filtering or ID systems to get to the actual contents, or even to the full TCP headers. Since there are no guarantees about order of arrival and since storing fragments until the IP packets are complete consumes resources, there is a chance for a denial of service or for not being able to catch all the IP fragments.
There are tools to generate IP fragments in order to evade access control in filtering devices and to flow unnoticed by intrusion detection systems. One of these tools is the fragrouter released by Anzen Computing and can be found at nidsbench.( http://www.anzen.com/nidsbench/)

We expect an increase in attacks using IP fragments as more of these tools become available to the (would be) hacker community.

Swa Frantzen

The information presented is priceless!
-Nehal Parmar, North Fork Bank

SANSFIRE 2013 - Washington

Latest Whitepapers

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Setting Up a Database Security Logging and Monitoring Program
By Jim Horwath

Latest Tweets

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

DFIR Webcast starts in 75 minutes - 50 Shades of Hidden - Di [...]
May 17, 2013 - 3:46 PM

New blog post by @yorikv on pen test tips for file analysis. [...]
May 16, 2013 - 5:07 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU