Host operatingsystems have been discovered to react unexpectedly to crafted fragmentedpackets. The attacker might change traffic from normal port 80 HTTP traffic toattack RPC on TCP port 111.Ī good proportion of fragmentation attacks are DoS attacks. An example is overwriting the header to change the destination portnumber. Ifthe fragmentation offset is small enough, though, the malicious packetoverwrites the header information, allowing the malicious traffic through thefirewall. Subsequent fragments containmalicious data that would not otherwise be allowable through the firewall. The attack works by sending a fragmented TCP packet with headerinformation that is allowed through the firewall. One simple attack devised tobypass firewalls and filtering devices uses fragmentation to overwrite TCPheader data. If the fragment is not the last fragment to be received, it must flag themore fragments (MF) bit.Īs you can see, any host that expected these rules to be followed at alltimes could be exploited by a malicious hacker. The fragment ID is acopy of the IP identification number in the IP header.Įach fragment must carry its position or offset in the originalunfragmented packet (that is, the first fragment will have an offset of0).Įach fragment must display the amount of data carried in thecorresponding fragment.
The receiving host reassembles packets by associating a fragment with anidentical fragment identification number, or fragment ID. Thereceiving host expects the sender to follow some rules when fragmenting. Itis the reassembly process that hackers exploit to perpetrate attacks. Fragmentation does not have to happen exclusively at the originationpoint it can occur at an intermediate router.Īfter packets are fragmented, they must be reassembled at the target host. Different network-based protocols have divergent rules for themaximum allowable size or maximum transmission unit (MTU) for datagrams on theirnetworks.įragmentation occurs normally when a packet's payload exceeds the MTU.On an ethernet network, any IP datagram larger than 1,500 bytes has to befragmented. It is necessary to successfully send traffic over different types ofnetwork media. Fragmentation is a normally occurring phenomenon in IPnetworks. The frag2 preprocessor is Snort's weapon against IPfragmentation attacks. Thesame nf file lets you add or remove preprocessors as you see fit. Preprocessor parameters are configured and tuned via the nf file. The remote exploit would go unnoticed by Snort,obscuring the true nature of the traffic. Suppose a black hat intentionally encoded a malicious remote exploitattack in a manner that would set off a low priority alert from a preprocessor.If processing is assumed to be finished at this point and the packet is nolonger cycled through the preprocessors, the remote exploit attack wouldregister only an encoding alert. If Snort simplystopped checking for the suspicious attributes of a packet after it had set offan alert via a preprocessor, attackers could use this deficiency to hide trafficfrom Snort. These preprocessors defeatattacks that attempt to evade Snort's detection engine by manipulatingtraffic patterns.Īdditionally, Snort cycles packets through every preprocessor to discoverattacks that require more than one preprocessor to detect them.
These typesof preprocessors are indispensable in discovering non-signature-based attacks.The other preprocessors are responsible for normalizing traffic so that thedetection engine can accurately match signatures. A number of attacks cannot bedetected by signature matching via the detection engine, so "examine"preprocessors step up to the plate and detect suspicious activity. They can be used toeither examine packets for suspicious activity or modify packets so that thedetection engine can properly interpret them. Snort's preprocessors fall into two categories.
0 kommentar(er)
