Abstract
We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and causing over 94% loss rate.
We show that our attacks are practical through experimental validation on popular industrial and open-source products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context.
The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters.
We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.
- Advanced Network Architecture Group. 2012. ANA spoofer project. http://spoofer.csail.mit.edu/summary.php.Google Scholar
- Antonatos, S., Akritidis, P., The Lam, V., and Anagnostakis., K. G. 2008. Puppetnets: Misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12, 2. Google Scholar
Digital Library
- Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. DNS security introduction and requirements. RFC 4033 (Proposed Standard). (Updated by RFC 6014).Google Scholar
- Audet, F. and Jennings, C. 2007. Network address translation (NAT) behavioral requirements for unicast UDP. RFC 4787 (Best Current Practice).Google Scholar
- Baker, F. and Savola, P. 2004. Ingress filtering for multihomed networks. RFC 3704 (Best Current Practice). Google Scholar
Digital Library
- Bellovin, S. M. 2002. A technique for counting natted hosts. In Proceedings of the Internet Measurement Workshop. ACM, 267--272. Google Scholar
Digital Library
- Beverly, R., Berger, A., Hyun, Y., and Claffy, K. C. 2009. Understanding the efficacy of deployed internet source address validation filtering. In Proceedings of the Internet Measurement Conference. A. Feldmann and L. Mathy Eds., ACM, 356--369. Google Scholar
Digital Library
- CAIDA. 2012. Anonymized internet traces 2012 dataset. http://www.caida.org/data/passive/passive_2012_dataset.xml.Google Scholar
- CERT. 1997. Teardrop DoS attack. http://www.cert.org/advisories/CA-1997-28.html.Google Scholar
- Cisco Systems. 2006. Configuring dynamic ARP inspection. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html.Google Scholar
- Cisco Systems. 2007. Pre-Fragmentation for IPsec VPNs. http://www.ciscosystems.cd/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_pre_frag_vpns.pdf.Google Scholar
- Conta, A., Deering, S., and Gupta, M. 2006. Internet control message protocol (ICMPv6) for the internet protocol version 6 (IPv6) specification. RFC 4443 (Draft Standard). (Updated by RFC 4884).Google Scholar
- Cooke, E., Jahanian, F., and Mcpherson, D. 2005. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (STRUTI). 39--44. Google Scholar
Digital Library
- Deering, S. and Hinden, R. 1998. Internet protocol, version 6 (IPv6) specification. RFC 2460 (Draft Standard). (Updated by RFCs 5095, 5722, 5871, 6437). Google Scholar
Digital Library
- Ehrenkranz, T. and Li, J. 2009. On the state of IP spoofing defense. ACM Trans. Internet Techn. 9, 2, 6:1--6:29. Google Scholar
Digital Library
- Farinacci, D., Li, T., Hanks, S., Meyer, D., and Traina, P. 2000. Generic routing encapsulation (GRE). RFC 2784 (Proposed Standard). (Updated by RFC 2890). Google Scholar
Digital Library
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827 (Best Current Practice). Google Scholar
Digital Library
- Gibson, S. 2005. ARP poisoning report. http://www.grc.com/nat/arp.htm.Google Scholar
- Gilad, Y. and Herzberg, A. 2011. Fragmentation considered vulnerable: Blindly intercepting and discarding fragments. In Proceedings of the USENIX Workshop on Offensive Technologies. Google Scholar
Digital Library
- Gilad, Y. and Herzberg, A. 2012a. Fragmentation considered vulnerable - Tech. rep. http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf.Google Scholar
- Gilad, Y. and Herzberg, A. 2012b. Off-Path attacking the web. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT). 41--52. Google Scholar
Digital Library
- Gilad, Y. and Herzberg, A. 2012c. Spying in the dark: TCP and tor traffic analysis. In Proceedings of the Privacy Enhancing Technologies Symposium. S. Fischer-Hübner and M. Wright Eds., Lecture Notes in Computer Science Series, vol. 7384. Springer, 100--119. Google Scholar
Digital Library
- Gont, F. 2011. Security assessment of the internet protocol version 4. RFC 6274 (Informational).Google Scholar
- Gont, F. 2012. Security implications of predictable fragment identification values. Internet-draft of the IETF IPv6 maintenance working group (6man). (Expires September 30, 2012).Google Scholar
- Greengard, S. 2012. The war against botnets. Commun. ACM 55, 2, 16--18. Google Scholar
Digital Library
- Heffner, J., Mathis, M., and Chandler, B. 2007. IPv4 reassembly errors at high data rates. RFC 4963 (Informational).Google Scholar
- Herzberg, A. and Shulman, H. 2012a. Fragmentation considered poisonous. CoRR abs/1205.4011.Google Scholar
- Herzberg, A. and Shulman, H. 2012b. Security of patched DNS. In Proceedings of the ESORICS. S. Foresti, M. Yung, and F. Martinelli, Eds., Lecture Notes in Computer Science Series, vol. 7459, Springer, 271--288.Google Scholar
- Hollis, K. 1997. The Rose attack explained. http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm.Google Scholar
- Huston, G. 2004. Anatomy: A look inside network address translators. Internet Prot. J. 7, 3. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html.Google Scholar
- John, W. and Tafvelin, S. 2007. Analysis of internet backbone traffic and header anomalies observed. In Proceedings of the 7th ACM SIGCOMM. C. Dovrolis and M. Roughan Eds., ACM, 111--116. Google Scholar
Digital Library
- Kaufman, C., Hoffman, P., Nir, Y., and Eronen, P. 2010. Internet key exchange protocol version 2 (IKEv2). RFC 5996 (Proposed Standard). (Updated by RFC 5998).Google Scholar
- Kaufman, C., Perlman, R., and Sommerfeld, B. 2003. DoS Protection for UDP-based protocols. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS-03). V. Atluri and P. Liu Eds., ACM Press, New York. Google Scholar
Digital Library
- Kenney, M. 1996. Ping o’ Death. http://www.insecure.org/sploits/ping-o-death.html.Google Scholar
- Kent, C. A. and Mogul, J. C. 1987. Fragmentation considered harmful. res. rep. 87/3, Western Research Lab.Google Scholar
- Kent, S. and Seo, K. 2005. Security architecture for the internet protocol. RFC 4301 (Proposed Standard).Google Scholar
- Killalea, T. 2000. Recommended internet service provider security services and procedures. RFC 3013. (Proposed Standard). Google Scholar
Digital Library
- Klein, A. 2007. OpenBSD DNS cache poisoning and multiple O/S predictable IP ID vulnerability. http://www.trusteer.com/docs/dnsopenbsd.html.Google Scholar
- Kuzmanovic, A. and Knightly, E. W. 2003. Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. In Proceedings of SIGCOMM. ACM, New York, 75--86. Google Scholar
Digital Library
- Lahey, K. 2000. TCP problems with path MTU discovery. RFC 2923 (Informational). Google Scholar
Digital Library
- Li, Z., Goyal, A., Chen, Y., and Paxson, V. 2009. Automating analysis of large-scale botnet probing events. In Proceedings of ASIACCS. W. Li, W. Susilo, U. K. Tupakula, R. Safavi-Naini, and V. Varadharajan Eds., ACM, 11--22. Google Scholar
Digital Library
- Luby, M. and Rackoff, C. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17, 2, 373--386. Google Scholar
Digital Library
- Lyon, G. 2009. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. http://nmap.org/book/. Google Scholar
Digital Library
- Maier, G., Schneider, F., and Feldmann, A. 2011. NAT Usage in Residential Broadband Networks. In Passive and Active Measurement. Springer, 32--41. Google Scholar
Digital Library
- McCann, J., Deering, S., and Mogul, J. 1996. Path MTU Discovery for IP version 6. RFC 1981 (Draft Standard). Google Scholar
Digital Library
- Mogul, J. and Deering, S. 1990. Path MTU discovery. RFC 1191 (Draft Standard). Google Scholar
Digital Library
- Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. Comput. Commun. Rev. 31, 3, 38--47. Google Scholar
Digital Library
- Postel, J. 1980. User datagram protocol. RFC 768 (Standard). Google Scholar
Digital Library
- Postel, J. 1981a. Internet control message protocol. RFC 792 (Standard). (Updated by RFCs 950, 4884). Google Scholar
Digital Library
- Postel, J. 1981b. Internet protocol. RFC 791 (Standard). (Updated by RFC 1349).Google Scholar
- Qian, Z. and Mao, Z. M. 2012. Off-path TCP sequence number inference attack. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Qian, Z., Mao, Z. M., and Xie, Y. 2012. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, 593--604. Google Scholar
Digital Library
- Ruderman, J. 2001. Same origin policy for JavaScript. https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript.Google Scholar
- Sanfilippo, S. 1998. About the IP header ID. http://www.kyuzz.org/antirez/papers/ipid.html.Google Scholar
- Savola, P. 2006. MTU and fragmentation issues with in-the-network tunneling. RFC 4459 (Informational).Google Scholar
- Shannon, C., Moore, D., and Claffy, K. C. 2002. Beyond folklore: Observations on fragmented traffic. IEEE/ACM Trans. Netw. 10, 6, 709--720. Google Scholar
Digital Library
- Sherwood, R., Bhattacharjee, B., and Braud, R. 2005. Misbehaving TCP receivers can cause internet-wide congestion collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security. C. Meadows and P. Syverson Eds., ACM, 383--392. Google Scholar
Digital Library
- Srisuresh, P. and Egevang, K. 2001. Traditional IP network address translator (Traditional NAT). RFC 3022 (Informational). Google Scholar
Digital Library
- The Open Web Application Security Project (OWASP). 2010. OWASP Top 10 for 2010. http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf.Google Scholar
- Zalewski, M. 2001. Strange attractors and TCP/IP sequence number analysis. http://lcamtuf.coredump.cx/newtcp/.Google Scholar
- Zalewski, M. 2003. A new TCP/IP blind data injection technique? BugTraq mailing list post. http://lcamtuf.coredump.cx/ipfrag.txt.Google Scholar
- Zalewski, M. 2005. Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks. No Starch Press. Google Scholar
Digital Library
Index Terms
Fragmentation Considered Vulnerable
Recommendations
DNS-over-TCP considered vulnerable
ANRW '21: Proceedings of the Applied Networking Research WorkshopThe research and operational communities believe that TCP provides protection against IP fragmentation attacks and recommend that servers avoid sending DNS responses over UDP but use TCP instead.
In this work we show that IP fragmentation attacks also ...
Fragmentation considered vulnerable: blindly intercepting and discarding fragments
WOOT'11: Proceedings of the 5th USENIX conference on Offensive technologiesWe show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94% loss rate and intercepting more than 80% of data between ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...






Comments