Re: Fragmentation Question

[dugsong () monkey org (Dug Song)]

On Wed, 13 Oct 1999, Greg Shipley wrote:

> Okay, assuming that Dragon and NFR are the only two Network-based
> Intrusion Detection systems that do packet re-assembly

they're not. a few other products which had new versions released recently
(perhaps not-so-coincidentally after fragrouter's release) now do some
level of reassembly.

> 1. Deny all fragments into the network.  I see this is a bad idea

you're right. :-)

additionally, IDSs that alert on "short" frags (< 128 bytes) need to be
careful, because these are often just trailing last fragments (which also
do not have to be a multiple of 8 bytes in length).

> 2. Have some perimeter device re-assemble fragmented packets BEFORE they
> get to the IDS.

this is the point of Vern Paxson's traffic normalizer, presented at the
last RAID conference. his normalizer helps offload some of the work
(checksum verification, etc.) from the IDS behind it, as well as actively
rewriting some fields (e.g. TTL) to try to resolve ambiguity.

IP fragmentation is only one attack. there are also many TCP-based attacks
(e.g. segment reordering, overlap, etc.) you have to account for by doing
session reassembly, and even then you can be attacked (e.g. all kinds of
desynchronization attacks, insertion attacks based on sequence numbers
just outside the window, etc.).

-d.

http://www.monkey.org/~dugsong/