Packet fragmenting



Keywords: packet fragmenting
Description: Every packet based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet that that network can transmit. Packets

Every packet based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet that that network can transmit.

Every IP packet has an IP (Internet Protocol) header that stores information about the packet, including:

  • Version
  • IHL
  • Type of Service
  • Total Length
  • Identification
  • Flags
  • Fragment Offset
  • Time to Live
  • Protocol
  • Header Checksum
  • Source Address
  • Destination Address
  • Options

Much like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:

  • Source Port
  • Destination Port
  • Sequence Number
  • Acknowledgement Number
  • Data Offset
  • Flags
  • Window
  • Checksum
  • Urgent Pointer
  • Options
  • Padding

If a 2,366 byte packet enters an Ethernet network with a default MTU size, it must be fragmented into two packets.

  • Be 1,500 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data.
  • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 1 to mean “More Fragments.”
  • Have a Fragmentation Offset of 0.
  • Be 910 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data.
  • Have the DF bit equal to 0 to mean “May Fragment” and the MF bit equal to 0 to mean “Last Fragment.”
  • Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).

This is done by cheating with the value of the Fragment Offset. The trick is to set the Fragment Offset’s value on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.

If someone wants to `telnet` into a network where a packet filtering firewall blocks TCP port 23, SMTP port 25 is allowed into that network.

  • Have a Fragmentation Offset of 0.
  • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 1 to mean “More Fragments.”
  • Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.
  • Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.
  • Have a DF bit equal to 0 to mean “May Fragment” and an MF bit equal to 0 to mean “Last Fragment.”
  • Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!

The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.

When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.




Photogallery Packet fragmenting:


networking - IP Fragmentation and Reassembly - Stack Overflow


IP Fragmentation Attacks - SANS Internet Storm Center


The TCP/IP Guide - IP Message Fragmentation Process


Packetstan


The ugly side of NAT | Excentis


Packetstan: Crafting Overlapping Fragments ..... Eventually


Presentation "Internet Protocol (IP) Basic Functions ...


Sensors | Free Full-Text | Forwarding Techniques for IP Fragmented ...


Dont fragment flag for IPv6 packets in Linux using C++ - Stack ...


Chapter 4: Common IPsec VPN Issues | Network World


JSAN | Free Full-Text | IETF Standardization in the Field of the ...


packet analysis - Is this a Proper WLAN Fragmentation Diagram I ...


Presentation "Chapter 8 Communication Networks and Services The ...


IPsec TCP-MSS, DF-BIT and Fragmentation | Tech Notes / RtooDtoo.net


IP Fragmentation in Wireshark (2)


Fragmented DHCP packets  Netrounds FAQ and Support


Packetstan


Packetstan: August 2011