ERIC BRUHN

Network Applications and Network Applications Lab

Chapter Three Notes

 

Other Chapter Notes:

[Chapter One]

[Chapter Two]

[Chapter Three]

[Chapter Four]

[Chapter Five]

[Chapter Six]

[NID Outline]

[Back to Notes]

[Home]

Fragmentation

  • Theory of Fragmentation
    • Fragmentation occurs when an IP datagram traveling on a network has to traverse a network with a maximum transmission unit (MTU) that is smaller that the size of the datagram.
    • For example: If an IP datagram is 2000 bytes and the network that it is trying to get into has a MTU of 1500 bytes, the router must fragment the packet so it can travel on that network.
    • Fragment information:
      • Are associated with each other with a common fragment identification number.
        • In the IP header.
        • Also known as the fragment ID.
      • Must tell the length of the data carried in the fragment.
      • Must know if more fragments follow it; this is done using the More Fragments (MF) flag.
    • This information is contained in the IP header and a fragment encapsulation is placed around that.
    • Visualizing Fragmentation: Seeing is Understanding
      • Ethernet has a MTU of 1500 bytes.
      • Each datagram must have an IP header, usually 20 bytes, but can be more if IP options are included.
      • If a datagram is 4028 bytes, it needs to be broken up into smaller pieces of 1500 bytes or less.
        • Each of these 1500 byte datagram contains at least a 20 byte header, so that leaves no more than 1480 bytes for data.
        • The first fragment contains the original header (20 bytes) along with the ICMP header (8 bytes) and that leaves 1472 bytes for the ICMP data.
        • The second fragment contains a 20 byte header and 1480 bytes of data.
        • The third and last fragment contains a 20 byte header and 1048 bytes of data.
        • So… 1472 bytes of data plus 1480 bytes of data plus 1048 bytes of data gives you your original amount of data equal to 4000 bytes. (4028 – 20 – 8 = 4000)
      • All Aboard the Fragment Train
        • The first fragment contains the ICMP header.
        • A More Fragments (MF) flag is the IP header of the fragments that have more fragments following them.
      • The Fragment Dining Car
        • Header information is duplicated for each of the fragments
        • ICMP Header is only on the first fragment
      • The Fragment Caboose
        • Will usually not be a full sized fragment because it contains the last of the data.  
      • Fragemnt Example
    • Viewing Fragmentation Using TCPdump
      • You can see this fragment data with TCPdump along with showing the ICMP header only on the first fragment.
    • Fragmentation and Packet-Filtering Devices
      • Sometimes routers and/or firewalls try to block fragmented traffic.
      • First fragmented packet might not get through due to header information, but other packets may get though.
    • The Don’t Fragment Flag
      • DF (don’t fragment)
      • Means that this packet CANNOT be fragmented.
      • If this flag is set and the datagram cross a network where fragmentation is required, the datagram will be discarded as unreachable.
  • Malicious Fragmentation
    • Fragmentation has provided another way for hackers to have fun.
    • TCP Header Fragments
      • nmap (www.insecure.org/nmap)
      • an nmap command-line option (-f) fragments the 20-byte headers into multiple headers to avoid detection.
      • Example: nmap –f –sS –p 53 target.com
        • This sends a fragmented SYN connection to port 53 of target.com.
    • Teardrop
      • Overlapping fragments in the header
      • Can cause a system to hang or possible reboot.
  • Summary
    • Fragmentation involves separating and packing the original datagram into new packets less than or equal to the size of the original.
    • Malicious fragmentation usually occurs as a denial-of-service attack.

[Home] [Procedures] [Reading Notes] [Back to Top]

Questions or Comments? Click here to email me.