Talk With an Expert

IP Fragment Reassembly with Scapy

IP Fragment Reassembly with Scapy (PDF, 2.46MB)Published: 05 Jul, 2012
Created by:
Mark Baggett
Mark Baggett

Overlapping IP fragments can be used by attackers to hide nefarious intentions from intrusion detection system and analysts. Operating systems give preference to overlapping fragments based upon either the position in the packet or the time of arrival. As a result fragmented packets might be reassembled in one of five different ways. If the IDS or the analyst do not reassemble the packets the same way as the target host, an attack may succeed and go undetected. While some intrusion detection systems have techniques for dealing with these attacks there are few tools available to the analyst to look inside the reassembly process and try to understand the attacker's intent. This paper will explore how an analyst can use scrapy to reassemble the fragmented attack packets in a similar manner to Linux, Windows, Macintosh, Cisco routers and other operating systems to see how each operating system would interpret the fragmented packets.

Meet the expert

Mark Baggett
Mark Baggett

Mark Baggett

Fellow

SANS Faculty Fellow Mark Baggett authored SEC573, SEC673, and SEC406, leads as CTO of the SANS Internet Storm Center, and empowers defenders to automate security through practical, real-world application.

Read more about Mark Baggett