ip fragmentation overlapping · 2014-10-21 · • ip fragmentation ... • first: hp-ux, macos,...
TRANSCRIPT
![Page 1: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/1.jpg)
![Page 2: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/2.jpg)
![Page 3: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/3.jpg)
IP Fragmentation Overlapping
ByPassing IDS
![Page 4: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/4.jpg)
$ whois jselvi
• Jose Selvi ([email protected])
• Ethical Hacking & Pentesting
• Telefónica Ingeniería de Seguridad
• Pentester.es (http://www.pentester.es)
![Page 5: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/5.jpg)
Let’s Go!
• Having Fun with RFCs
• IP Fragmentation
• Overlapping & Defragmentation
• ByPassing IDS
• Overlapping Defenses
![Page 6: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/6.jpg)
• RFC = Request for Comments (http://www.ietf.org/rfc.html)
• All Protocols are fully defined by RFCs
• Fully? No!!
• One small set of possible situations still holds out being undefined
Having Fun with RFC
![Page 7: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/7.jpg)
3-Way HandShake
Client Server
![Page 8: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/8.jpg)
3-Way HandShake
Client Server
Syn
![Page 9: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/9.jpg)
3-Way HandShake
Client Server
Syn
Syn , Ack
![Page 10: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/10.jpg)
3-Way HandShake
Client Server
Syn
Syn , Ack
Ack
![Page 11: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/11.jpg)
3-Way HandShake
Client Server
Syn
Syn , Ack
Ack
Data
![Page 12: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/12.jpg)
3-Way HandShake
Client Server
![Page 13: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/13.jpg)
3-Way HandShake
Client Server
Syn , Rst , Ack
![Page 14: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/14.jpg)
3-Way HandShake
Client Server
Syn , Rst , Ack
WTF?!
![Page 15: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/15.jpg)
3-Way HandShake
Client Server
Syn , Rst , Ack
¿?WTF?!
![Page 16: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/16.jpg)
• Each coder solves it in a different way
• So... each different TCP/IP Stack response different
• Used for OS fingerprinting
• Different TCP/IP Stacks can work different? That’s sounds evily interesting!
Abuse: OS Fingerprinting
![Page 17: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/17.jpg)
Let’s Go!
• IP Fragmentation
• Overlapping & Defragmentation
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
![Page 18: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/18.jpg)
Let’s Go!
• IP Fragmentation
• Overlapping & Defragmentation
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
![Page 19: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/19.jpg)
To Fit or not to Fit
• MTU = Maximum Transfer Unit
• Depending on Layer 2 Network
• Ethernet = 1500 bytes
• To Fit or not to Fit. That’s the question.
• What if doesn’t fit?
• IP FRAGMENTATION!
![Page 20: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/20.jpg)
IP Fragmentation
Packet
Packet
Packet
![Page 21: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/21.jpg)
IP Fragmentation
Packet
Packet
Packet
![Page 22: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/22.jpg)
IP Fragmentation
Packet
Packet
![Page 23: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/23.jpg)
IP Fragmentation
Packet
Packet
![Page 24: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/24.jpg)
IP Fragmentation
Packet
![Page 25: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/25.jpg)
IP Fragmentation
Packet
![Page 26: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/26.jpg)
IP Fragmentation
![Page 27: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/27.jpg)
IP Fragmentation
Packet
![Page 28: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/28.jpg)
IP Fragmentation
Fragment
Fragment
Fragment
Packet
![Page 29: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/29.jpg)
IP Fragmentation
Fragment
Fragment
Fragment
![Page 30: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/30.jpg)
IP Fragmentation
Fragment
Fragment
Fragment
![Page 31: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/31.jpg)
IP Fragmentation
Fragment
Fragment
![Page 32: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/32.jpg)
IP Fragmentation
Fragment
Fragment
![Page 33: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/33.jpg)
IP Fragmentation
Fragment
![Page 34: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/34.jpg)
IP Fragmentation
Fragment
![Page 35: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/35.jpg)
IP Fragmentation
![Page 36: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/36.jpg)
IP Header
• IPID = IP Identifier
• MF Flag = More Fragments
• Fragment Offset
![Page 37: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/37.jpg)
Howto Fragment
4000 bytesMF = 0
Offset = 0
![Page 38: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/38.jpg)
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
Howto Fragment
4000 bytesMF = 0
Offset = 0
![Page 39: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/39.jpg)
Howto Fragment
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
![Page 40: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/40.jpg)
Howto Defragment
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
![Page 41: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/41.jpg)
Howto Defragment
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
![Page 42: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/42.jpg)
Howto Defragment
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
![Page 43: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/43.jpg)
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
Howto Defragment
![Page 44: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/44.jpg)
1500 bytesMF = 1
Offset = 1500
1500 bytesMF = 1
Offset = 0
1000 bytesMF = 0
Offset = 3000
Howto Defragment
4000 bytesMF = 0
Offset = 0
![Page 45: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/45.jpg)
Let’s Go!
• Overlapping & Defragmentation
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
![Page 46: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/46.jpg)
Let’s Go!
• Overlapping & Defragmentation
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
![Page 47: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/47.jpg)
Overlapping
300 bytesMF = 1
Offset = 100
200 bytesMF = 1
Offset = 0
100 bytesMF = 0
Offset = 400
![Page 48: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/48.jpg)
Overlapping
![Page 49: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/49.jpg)
Overlapping
![Page 50: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/50.jpg)
¿?
Overlapping
![Page 51: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/51.jpg)
• Blue or Green?
• Not defined by RFC
• So... each OS do it by its own
• There are 7 different policies
Defragmentation
![Page 52: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/52.jpg)
• First: HP-UX, MacOS, SunOS <5.8
• Last: Cisco
• BSD: AIX, FreeBSD, HP-UX 10.x, IRIX
• BSD-Right: HP Printers (some of them)
• Linux: OpenBSD, Linux
• Windows
• Solaris: Solaris 9 and 10
Policies & OS’s
![Page 53: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/53.jpg)
First PolicyPolicy:
1) Always accept the first value received for each byte.
![Page 54: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/54.jpg)
First PolicyPolicy:
1) Always accept the first value received for each byte.
31 1 1 2 2 3 3
![Page 55: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/55.jpg)
First PolicyPolicy:
1) Always accept the first value received for each byte.
341 1 1 2 2 3 3
![Page 56: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/56.jpg)
First PolicyPolicy:
1) Always accept the first value received for each byte.
341 1 1 2 2 3 3
![Page 57: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/57.jpg)
First PolicyPolicy:
1) Always accept the first value received for each byte.
341 1 1 2 2 3 3 66 6
![Page 58: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/58.jpg)
Linux PolicyPolicy:
1) Accept lower offset packet bytes received
2) With same offset, accept last received bytes
![Page 59: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/59.jpg)
333211
Linux PolicyPolicy:
1) Accept lower offset packet bytes received
2) With same offset, accept last received bytes
1 2
![Page 60: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/60.jpg)
33311 4 4
Linux PolicyPolicy:
1) Accept lower offset packet bytes received
2) With same offset, accept last received bytes
1 2
![Page 61: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/61.jpg)
11 5554 4
Linux PolicyPolicy:
1) Accept lower offset packet bytes received
2) With same offset, accept last received bytes
1 2
![Page 62: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/62.jpg)
11 5554 4
Linux PolicyPolicy:
1) Accept lower offset packet bytes received
2) With same offset, accept last received bytes
1 2 66 6
![Page 63: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/63.jpg)
Let’s Go!
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
• Overlapping & Defragmentation
![Page 64: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/64.jpg)
Let’s Go!
• ByPassing IDS
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
• Overlapping & Defragmentation
![Page 65: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/65.jpg)
• Usually signature based IDSs
• Signature = string or regular expression
• Does it match with packet? => ALERT!
• Evil at Target but not at IDS?
• Target Policy != IDS Policy?
• Possible with IP Fragmentation
IDS & Signatures
![Page 66: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/66.jpg)
Overlapping
FOOFOOASSWOR
GET /../../ETC/P
D HTTP/1.1
FOOFOOASSWOR
GET /../../ETC/P
D HTTP/1.1
![Page 67: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/67.jpg)
Overlapping
ASSWDGET /../../ETC/P HTTP/1.1
GET /../../ETC/P HTTP/1.1FOOFOOASSWD
Target => /../../ETC/PASSWD
IDS => /../..FOOFOOASSWD
![Page 68: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/68.jpg)
• “Insertion, Evasion, and Denial of Service: Eluding Networking Intrusion Detection”, January 1998
FragRoute
ip_frag size [old|new]
Fragment each packet in the queue into size-byte IP fragments, preserving the complete transport header in the first fragment. Optional fragment overlap may be specified as old or new, to favor newer or older data.
![Page 69: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/69.jpg)
• Policy: Always accept the first value received for each byte.
• First value = Older value
• fragroute -f ncn.conf 192.168.0.100
Windows Frag
ip_frag 40 old
order random
![Page 70: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/70.jpg)
DEMOByPassing SNORT with IP Fragmentation (I)
![Page 71: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/71.jpg)
• Attack String is still there!
• Why not detected?
• Packet dropped for bad checksum
• What if packet inspected anyway?
• Bypass doesn’t work!
• Can we improve it with FragRouter?
Problems
![Page 72: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/72.jpg)
FragRouteip_chaff dup|opt|ttl
Interleave IP packets in the queue with duplicate IP packets containing different payloads, either scheduled for later delivery, carrying invalid IP options, or bearing short time-to-live values.
delay first|last|random ms
Delay the delivery of the first, last, or a randomly selected packet from the queue by ms milliseconds.
drop first|last|random prob-%
Drop the first, last, or a randomly selected packet from the queue with a probability of prob-% percent.
![Page 73: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/73.jpg)
• Policy: With same offset:
• First/BSD => First Fragment
• Linux => Last Fragment
• Bypass = First fragments OK, Last fragments garbage
First/BSD Vs Linux
ip_frag 40
delay last 1
ip_chaff dup
drop last 100
![Page 74: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/74.jpg)
DEMOByPassing SNORT with IP Fragmentation (II)
![Page 75: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/75.jpg)
Let’s Go!
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
• Overlapping & Defragmentation
• ByPassing IDS
![Page 76: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/76.jpg)
Let’s Go!
• Overlapping Defenses
• Having Fun with RFCs
• IP Fragmentation
• Overlapping & Defragmentation
• ByPassing IDS
![Page 77: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/77.jpg)
• SNORT: Frag3 Preprocessor
• Others should have something similar
• Makes Snort speak in OS language
• You have to configure for each one
Defenses
![Page 78: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/78.jpg)
DEMOFrag3 against IP Fragmentation
![Page 79: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/79.jpg)
• Force Defragmentation at Perimeter
• Reject Fragmented Packets
• Proxys
• NAT
• Keep out with network design!
Other Defenses
![Page 80: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/80.jpg)
Network Design (I)
Internet Firewall / Proxy IDS
Linux
Windows
![Page 81: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/81.jpg)
Network Design (II)
Internet IDS
Linux
Windows
Firewall / Proxy
![Page 82: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/82.jpg)
• Feel safe?
• TCP Overlapping
• TTL .....
• Bad Checksum
• ...
Other Threats
![Page 83: IP Fragmentation Overlapping · 2014-10-21 · • IP Fragmentation ... • First: HP-UX, MacOS, SunOS](https://reader033.vdocument.in/reader033/viewer/2022060313/5f0b4f497e708231d42fe1ed/html5/thumbnails/83.jpg)
Proverb
MORE HUMANLESS MACHINE