What does IP fragment mean? How to defend against IP fragment attacks?

P In the message , Several fields related to message fragmentation are ：DF（Don’t Fragmentate） position 、MF position ,Fragment Offset、Length.DF and MF Just as mentioned earlier 3 Bits identify the second and third bits ,Fragment Offset Namely “13 Bit slice offset ” Field ,Length Namely “16 Total length of bit message ” Field . If the values of the above fields are inconsistent , And the equipment is not handled properly , It will have a certain impact on the equipment , Even paralysis .Ip-fragment It is deliberately creating such contradictory messages on the existing fields to attack .

for example ：

a). DF Bit is set ( Indicate that the message is not fragmented ), and MF Bits are set at the same time or Fragment Offset Not for 0( It means fragment message );

b). DF Position as 0( It is marked as fragment message ), and Fragment Offset + Length > 65535( Undivided ) ;

These may cause the system to crash , The defense method is the same as Teardrop equally , It is to check the message , Discard illegal messages .

The problem of fragmentation

1、  The performance cost of fragmentation

       Fragmentation and reassembly consume the sender 、 I'm sure CPU And so on , If there are a large number of fragmentation messages , It may cause serious resource consumption ;
       Fragmentation consumes more memory resources for the receiver , Because the receiver needs to allocate memory space for each fragment message received , In order to complete the reorganization after the last fragment message arrives .

2、 Retransmission problem caused by packet loss of fragmentation

       If a fragment message is lost during network transmission , Then the recipient will not be able to complete the reorganization , If the application process requires retransmission , The sender must retransmit all the fragment messages instead of the discarded fragment message , This inefficient retransmission behavior will bring additional consumption to the end system and network resources .

3、 Fragment attack

       Fragment messages constructed by hackers , But the last fragment message is not sent to the receiver , This causes the receiver to allocate memory space for all fragmentation messages , But because the last fragment message will never reach , The memory of the receiver is not released in time （ The receiver will start a timer for fragment reorganization , If the reorganization cannot be completed within a certain period of time , Will send... To the sender ICMP Reorganize the timeout error message ）, As long as there are enough pieces of packets sent in this attack 、 Fast enough , It's easy to fill the receiver's memory , Let the receiver process normal business without memory resources , So as to achieve DOS The attack effect of .

4、 Safe hidden trouble

       Because only the first fragment has four layers of information, while the other fragments do not , This gives the router 、 Firewall and other intermediate devices bring trouble in matching access control policies .
       If router 、 Intermediate devices such as firewalls do not perform matching detection of security policies for partitioned messages and release them directly IP Fragmentation message , It may bring security risks and threats to the receiving party , Because hackers can take advantage of this feature , Bypass the router 、 The firewall's security policy check attacks the recipient ;
       If router 、 After the firewall and other intermediate devices reorganize these pieces of packets, they match their security policies , Then it will bring great consumption to the resources of these intermediate devices , Especially when it comes to fragmentation , These intermediate devices will consume all their memory resources in the first time , This will lead to the serious consequences of the whole network interruption .

Then what can we do to prevent Ip-fragment Attack ？

1、 For packet filtering devices or intrusion detection systems , First, allow by judging the destination port number / Prohibitions . However, due to malicious sharding, the destination port number is located in the second shard , Therefore, the packet filtering device judges the first partition , Decide whether the subsequent partition is allowed to pass . But these fragments will form various attacks after reorganization on the target host . This method can bypass some intrusion detection systems and some security filtering systems .

2、 Using extensions ACL prevent IP Fragment attack , The order is as follows ：

access-list 101 permit/deny < agreement > < Source > < Purpose > fragment ' Add a after the command fragment That's it . Special note , With four layers of information ACL And belt Fragment Of ACL Combined with the effect will be better

3、 Improve the technical level of enterprise security administrators , Effectively ensure timely discovery IP Fragment attack , Stop in time