skip to main content
research-article

Fragmentation Considered Vulnerable

Published:01 April 2013Publication History
Skip Abstract Section

Abstract

We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and causing over 94% loss rate.

We show that our attacks are practical through experimental validation on popular industrial and open-source products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context.

The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters.

We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.

References

  1. Advanced Network Architecture Group. 2012. ANA spoofer project. http://spoofer.csail.mit.edu/summary.php.Google ScholarGoogle Scholar
  2. Antonatos, S., Akritidis, P., The Lam, V., and Anagnostakis., K. G. 2008. Puppetnets: Misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12, 2. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033 (Proposed Standard). (Updated by RFC 6014).Google ScholarGoogle Scholar
  4. Audet, F. and Jennings, C. 2007. Network address translation (NAT) behavioral requirements for unicast UDP. RFC 4787 (Best Current Practice).Google ScholarGoogle Scholar
  5. Baker, F. and Savola, P. 2004. Ingress filtering for multihomed networks. RFC 3704 (Best Current Practice). Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bellovin, S. M. 2002. A technique for counting natted hosts. In Proceedings of the Internet Measurement Workshop. ACM, 267--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Beverly, R., Berger, A., Hyun, Y., and Claffy, K. C. 2009. Understanding the efficacy of deployed internet source address validation filtering. In Proceedings of the Internet Measurement Conference. A. Feldmann and L. Mathy Eds., ACM, 356--369. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. CAIDA. 2012. Anonymized internet traces 2012 dataset. http://www.caida.org/data/passive/passive_2012_dataset.xml.Google ScholarGoogle Scholar
  9. CERT. 1997. Teardrop DoS attack. http://www.cert.org/advisories/CA-1997-28.html.Google ScholarGoogle Scholar
  10. Cisco Systems. 2006. Configuring dynamic ARP inspection. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html.Google ScholarGoogle Scholar
  11. Cisco Systems. 2007. Pre-Fragmentation for IPsec VPNs. http://www.ciscosystems.cd/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pre_frag_vpns.pdf.Google ScholarGoogle Scholar
  12. Conta, A., Deering, S., and Gupta, M. 2006. Internet control message protocol (ICMPv6) for the internet protocol version 6 (IPv6) specification. RFC 4443 (Draft Standard). (Updated by RFC 4884).Google ScholarGoogle Scholar
  13. Cooke, E., Jahanian, F., and Mcpherson, D. 2005. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (STRUTI). 39--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Deering, S. and Hinden, R. 1998. Internet protocol, version 6 (IPv6) specification. RFC 2460 (Draft Standard). (Updated by RFCs 5095, 5722, 5871, 6437). Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ehrenkranz, T. and Li, J. 2009. On the state of IP spoofing defense. ACM Trans. Internet Techn. 9, 2, 6:1--6:29. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Farinacci, D., Li, T., Hanks, S., Meyer, D., and Traina, P. 2000. Generic routing encapsulation (GRE). RFC 2784 (Proposed Standard). (Updated by RFC 2890). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827 (Best Current Practice). Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Gibson, S. 2005. ARP poisoning report. http://www.grc.com/nat/arp.htm.Google ScholarGoogle Scholar
  19. Gilad, Y. and Herzberg, A. 2011. Fragmentation considered vulnerable: Blindly intercepting and discarding fragments. In Proceedings of the USENIX Workshop on Offensive Technologies. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Gilad, Y. and Herzberg, A. 2012a. Fragmentation considered vulnerable - Tech. rep. http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf.Google ScholarGoogle Scholar
  21. Gilad, Y. and Herzberg, A. 2012b. Off-Path attacking the web. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT). 41--52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Gilad, Y. and Herzberg, A. 2012c. Spying in the dark: TCP and tor traffic analysis. In Proceedings of the Privacy Enhancing Technologies Symposium. S. Fischer-Hübner and M. Wright Eds., Lecture Notes in Computer Science Series, vol. 7384. Springer, 100--119. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Gont, F. 2011. Security assessment of the internet protocol version 4. RFC 6274 (Informational).Google ScholarGoogle Scholar
  24. Gont, F. 2012. Security implications of predictable fragment identification values. Internet-draft of the IETF IPv6 maintenance working group (6man). (Expires September 30, 2012).Google ScholarGoogle Scholar
  25. Greengard, S. 2012. The war against botnets. Commun. ACM 55, 2, 16--18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Heffner, J., Mathis, M., and Chandler, B. 2007. IPv4 reassembly errors at high data rates. RFC 4963 (Informational).Google ScholarGoogle Scholar
  27. Herzberg, A. and Shulman, H. 2012a. Fragmentation considered poisonous. CoRR abs/1205.4011.Google ScholarGoogle Scholar
  28. Herzberg, A. and Shulman, H. 2012b. Security of patched DNS. In Proceedings of the ESORICS. S. Foresti, M. Yung, and F. Martinelli, Eds., Lecture Notes in Computer Science Series, vol. 7459, Springer, 271--288.Google ScholarGoogle Scholar
  29. Hollis, K. 1997. The Rose attack explained. http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm.Google ScholarGoogle Scholar
  30. Huston, G. 2004. Anatomy: A look inside network address translators. Internet Prot. J. 7, 3. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html.Google ScholarGoogle Scholar
  31. John, W. and Tafvelin, S. 2007. Analysis of internet backbone traffic and header anomalies observed. In Proceedings of the 7th ACM SIGCOMM. C. Dovrolis and M. Roughan Eds., ACM, 111--116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Kaufman, C., Hoffman, P., Nir, Y., and Eronen, P. 2010. Internet key exchange protocol version 2 (IKEv2). RFC 5996 (Proposed Standard). (Updated by RFC 5998).Google ScholarGoogle Scholar
  33. Kaufman, C., Perlman, R., and Sommerfeld, B. 2003. DoS Protection for UDP-based protocols. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS-03). V. Atluri and P. Liu Eds., ACM Press, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Kenney, M. 1996. Ping o’ Death. http://www.insecure.org/sploits/ping-o-death.html.Google ScholarGoogle Scholar
  35. Kent, C. A. and Mogul, J. C. 1987. Fragmentation considered harmful. res. rep. 87/3, Western Research Lab.Google ScholarGoogle Scholar
  36. Kent, S. and Seo, K. 2005. Security architecture for the internet protocol. RFC 4301 (Proposed Standard).Google ScholarGoogle Scholar
  37. Killalea, T. 2000. Recommended internet service provider security services and procedures. RFC 3013. (Proposed Standard). Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Klein, A. 2007. OpenBSD DNS cache poisoning and multiple O/S predictable IP ID vulnerability. http://www.trusteer.com/docs/dnsopenbsd.html.Google ScholarGoogle Scholar
  39. Kuzmanovic, A. and Knightly, E. W. 2003. Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. In Proceedings of SIGCOMM. ACM, New York, 75--86. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Lahey, K. 2000. TCP problems with path MTU discovery. RFC 2923 (Informational). Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Li, Z., Goyal, A., Chen, Y., and Paxson, V. 2009. Automating analysis of large-scale botnet probing events. In Proceedings of ASIACCS. W. Li, W. Susilo, U. K. Tupakula, R. Safavi-Naini, and V. Varadharajan Eds., ACM, 11--22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Luby, M. and Rackoff, C. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17, 2, 373--386. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Lyon, G. 2009. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. http://nmap.org/book/. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Maier, G., Schneider, F., and Feldmann, A. 2011. NAT Usage in Residential Broadband Networks. In Passive and Active Measurement. Springer, 32--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. McCann, J., Deering, S., and Mogul, J. 1996. Path MTU Discovery for IP version 6. RFC 1981 (Draft Standard). Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Mogul, J. and Deering, S. 1990. Path MTU discovery. RFC 1191 (Draft Standard). Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Commun. Rev. 31, 3, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Postel, J. 1980. User datagram protocol. RFC 768 (Standard). Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Postel, J. 1981a. Internet control message protocol. RFC 792 (Standard). (Updated by RFCs 950, 4884). Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Postel, J. 1981b. Internet protocol. RFC 791 (Standard). (Updated by RFC 1349).Google ScholarGoogle Scholar
  51. Qian, Z. and Mao, Z. M. 2012. Off-path TCP sequence number inference attack. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Qian, Z., Mao, Z. M., and Xie, Y. 2012. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, 593--604. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Ruderman, J. 2001. Same origin policy for JavaScript. https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript.Google ScholarGoogle Scholar
  54. Sanfilippo, S. 1998. About the IP header ID. http://www.kyuzz.org/antirez/papers/ipid.html.Google ScholarGoogle Scholar
  55. Savola, P. 2006. MTU and fragmentation issues with in-the-network tunneling. RFC 4459 (Informational).Google ScholarGoogle Scholar
  56. Shannon, C., Moore, D., and Claffy, K. C. 2002. Beyond folklore: Observations on fragmented traffic. IEEE/ACM Trans. Netw. 10, 6, 709--720. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Sherwood, R., Bhattacharjee, B., and Braud, R. 2005. Misbehaving TCP receivers can cause internet-wide congestion collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security. C. Meadows and P. Syverson Eds., ACM, 383--392. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Srisuresh, P. and Egevang, K. 2001. Traditional IP network address translator (Traditional NAT). RFC 3022 (Informational). Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. The Open Web Application Security Project (OWASP). 2010. OWASP Top 10 for 2010. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf.Google ScholarGoogle Scholar
  60. Zalewski, M. 2001. Strange attractors and TCP/IP sequence number analysis. http://lcamtuf.coredump.cx/newtcp/.Google ScholarGoogle Scholar
  61. Zalewski, M. 2003. A new TCP/IP blind data injection technique? BugTraq mailing list post. http://lcamtuf.coredump.cx/ipfrag.txt.Google ScholarGoogle Scholar
  62. Zalewski, M. 2005. Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. No Starch Press. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Fragmentation Considered Vulnerable

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Information and System Security
      ACM Transactions on Information and System Security  Volume 15, Issue 4
      April 2013
      117 pages
      ISSN:1094-9224
      EISSN:1557-7406
      DOI:10.1145/2445566
      Issue’s Table of Contents

      Copyright © 2013 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 1 April 2013
      • Accepted: 1 December 2012
      • Revised: 1 October 2012
      • Received: 1 March 2012
      Published in tissec Volume 15, Issue 4

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!