Other Chapter Notes:
[Chapter
One] [Chapter
Two]
[Chapter
Three]
[Chapter Four]
[Chapter Five]
[Chapter Six]
[NID Outline]
[Back
to Notes]
[Home]
|
Fragmentation
- Theory
of Fragmentation
- Fragmentation
occurs when an IP datagram traveling on a network has to traverse a
network with a maximum transmission unit (MTU) that is smaller that
the size of the datagram.
- For
example: If an IP datagram is 2000 bytes and the network that it is
trying to get into has a MTU of 1500 bytes, the router must fragment
the packet so it can travel on that network.
- Fragment
information:
- Are
associated with each other with a common fragment identification
number.
- In
the IP header.
- Also
known as the fragment ID.
- Must
tell the length of the data carried in the fragment.
- Must
know if more fragments follow it; this is done using the More
Fragments (MF) flag.
- This
information is contained in the IP header and a fragment
encapsulation is placed around that.
- Visualizing
Fragmentation: Seeing is Understanding
- Ethernet
has a MTU of 1500 bytes.
- Each
datagram must have an IP header, usually 20 bytes, but can be more
if IP options are included.
- If
a datagram is 4028 bytes, it needs to be broken up into smaller
pieces of 1500 bytes or less.
- Each
of these 1500 byte datagram contains at least a 20 byte header,
so that leaves no more than 1480 bytes for data.
- The
first fragment contains the original header (20 bytes) along
with the ICMP header (8 bytes) and that leaves 1472 bytes for
the ICMP data.
- The
second fragment contains a 20 byte header and 1480 bytes of
data.
- The
third and last fragment contains a 20 byte header and 1048 bytes
of data.
- So…
1472 bytes of data plus 1480 bytes of data plus 1048 bytes of
data gives you your original amount of data equal to 4000 bytes.
(4028 – 20 – 8 = 4000)
- All
Aboard the Fragment Train
- The
first fragment contains the ICMP header.
- A
More Fragments (MF) flag is the IP header of the fragments that
have more fragments following them.
- The
Fragment Dining Car
- Header
information is duplicated for each of the fragments
- ICMP
Header is only on the first fragment
- The
Fragment Caboose
- Will
usually not be a full sized fragment because it contains the
last of the data.
- Fragemnt
Example
- Viewing
Fragmentation Using TCPdump
- You
can see this fragment data with TCPdump along with showing the
ICMP header only on the first fragment.
- Fragmentation
and Packet-Filtering Devices
- Sometimes
routers and/or firewalls try to block fragmented traffic.
- First
fragmented packet might not get through due to header information,
but other packets may get though.
- The
Don’t Fragment Flag
- DF
(don’t fragment)
- Means
that this packet CANNOT be fragmented.
- If
this flag is set and the datagram cross a network where
fragmentation is required, the datagram will be discarded as
unreachable.
- Malicious
Fragmentation
- Fragmentation
has provided another way for hackers to have fun.
- TCP
Header Fragments
- nmap
(www.insecure.org/nmap)
- an
nmap command-line option (-f) fragments the 20-byte headers into
multiple headers to avoid detection.
- Example:
nmap –f –sS –p 53 target.com
- This
sends a fragmented SYN connection to port 53 of target.com.
- Teardrop
- Overlapping
fragments in the header
- Can
cause a system to hang or possible reboot.
- Summary
- Fragmentation
involves separating and packing the original datagram into new
packets less than or equal to the size of the original.
- Malicious
fragmentation usually occurs as a denial-of-service attack.
|