4 Days Left to Save $400 on SANS Security East 2015, New Orleans

Intrusion Detection FAQ: What are IP fragments and can they affect my intrusion detection capability?

IP fragments are a certain type of IP packets that are not sent at once but in multiple parts. The destination or target system has to reassemble the pieces into an IP packet. There are legitimate reasons why fragmentation can (and must) occur. One example of the legitimate uses of IP fragments is for a router that connects networks with different MTU's. It has no choice but to create IP fragments (eg. FDDI -> ethernet transition). Excessive fragmenting however, could be a serious warning you have a problem.

There is a detailed paper on this issue available:
  • Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, T. Ptacek and T. Newsham, Secure Networks, January 1998.
Any host, network device or Intrusion Detection System may deal with IP fragments in the following ways:
  • Discard the fragments. Since there is legitimate use for IP fragments this is not the best general solution. For intrusion detection systems it is advisable that they should examine these packets. When shopping for intrusion detection systems be certain to find out if they support packet reassembly.
  • Letting the IP fragments flow to the final destination without trying to make a whole packet out of it. Typical example of this is what a router does (means the router cannot (always) look at the TCP headers and therefore not do proper filtering ...). You should check your filtering routers, especially if they are your only line of defense.
  • The device can try to reassemble IP fragments into packets. Destination hosts have no choice but to do this. This is the only way for filtering or ID systems to get to the actual contents, or even to the full TCP headers. Since there are no guarantees about order of arrival and since storing fragments until the IP packets are complete consumes resources, there is a chance for a denial of service or for not being able to catch all the IP fragments.
There are tools to generate IP fragments in order to evade access control in filtering devices and to flow unnoticed by intrusion detection systems. One of these tools is the fragrouter released by Anzen Computing and can be found at nidsbench.( http://www.anzen.com/nidsbench/)

We expect an increase in attacks using IP fragments as more of these tools become available to the (would be) hacker community.

Swa Frantzen