Talk With an Expert

IP Fragment Reassembly with Scapy

IP Fragment Reassembly with Scapy (PDF, 2.46MB)Published: 05 Jul, 2012
Created by
Mark Baggett
Mark Baggett

Overlapping IP fragments can be used by attackers to hide nefarious intentions from intrusion detection system and analysts. Operating systems give preference to overlapping fragments based upon either the position in the packet or the time of arrival. As a result fragmented packets might be reassembled in one of five different ways. If the IDS or the analyst do not reassemble the packets the same way as the target host, an attack may succeed and go undetected. While some intrusion detection systems have techniques for dealing with these attacks there are few tools available to the analyst to look inside the reassembly process and try to understand the attacker's intent. This paper will explore how an analyst can use scrapy to reassemble the fragmented attack packets in a similar manner to Linux, Windows, Macintosh, Cisco routers and other operating systems to see how each operating system would interpret the fragmented packets.

Meet the expert

Mark Baggett
Mark Baggett

Mark Baggett

Fellow

Mark Baggett has revolutionized cybersecurity through his leadership at SANS. His development of tools like Freq Server has strengthened threat detection, while his work in automation has empowered professionals to defend against evolving threats.

Read more about Mark Baggett