Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

A jigsaw puzzle you don’t want put together: IP fragmentation attacks

March 17, 2016 No Comments

Featured blog by Debbie Fletcher, Independent Technology Writer

Human ingenuity isn’t always used for benevolent purposes, which is a shame. But sometimes malevolent ingenuity is so, well, ingenious that you can’t help but be impressed anyway. Big tobacco. The Ship Your Enemies Glitter business. Every single children’s show, which simultaneously manage to be addictive to children yet make parents want to put their heads through the drywall.

Unfortunately for website owners, IP fragmentation attacks can be put into the malevolently ingenious category. Keep reading to find out how these attacks use internet protocol to wreak havoc and what you can do to prevent them from taking down your website.

The fragmentation explanation

Before you can fully understand how attackers are using fragmented datagrams to launch denial of service attacks, you’ll need a handle on datagram fragmentation – what it is and why it exists in the first place.

Data is sent over the internet in the form of datagrams. Every network has its own limit for the size of datagrams it can process. This is known as a maximum transmission unit, or MTU. If a datagram exceeds a network’s MTU, it’s broken down into pieces for transmission and reassembled back into its original form according to the instructions contained in what’s called the offset of each fragment. Reassembly is generally completed by the receiving host.

Think of it like buying a billiards table for your basement. You’re not going to be able to move a standard-sized billiards table through your front door and down your stairs in one piece. You move it into your basement in pieces, and then you put it together.

IP datagram

Example of how an IP datagram is fragmented and reassembled (Source: Incapsula)

 

Two types of bigger-than-you-figured datagram attacks

IP fragmentation attacks are brilliant in their evilness because they take advantage of a protocol that has to exist. You can’t just wipe out these attacks by disallowing fragmentation. The internet needs fragmentation in order to run correctly and efficiently, and according to internet security provider Incapsula, attackers have found two different ways to exploit this necessity.

The first way is through UDP and ICMP fragmentation attacks. During this sort of attack, fake UDP or ICMP packets that exceed the network’s MTU are transmitted. Once they reach the receiving host – the target server – the server gets to work reassembling the packets. However, because they’re fake, they can’t be reassembled and the server’s resources are quickly consumed by this fruitless endeavor.

The second way is through TCP fragmentation attacks, otherwise known as teardrop attacks. In these attacks the instructions contained in attack fragments indicate that fragments overlap in positioning within the full datagram. Many servers can’t handle overlapping fragments and will be quickly overwhelmed.

Teardrop attacks are made possible by a vulnerability in older operating systems, including Windows 3.1 95 and NT. Patches were made available for this vulnerability, however it was exploited again in Windows 7 and Windows Vista.

Fragmentation mitigation

While mitigation methods will vary based on the type of attack as well as other factors like the size and severity, the best possible protection against IP fragmentation attacks will ensure that the attack packets never reach the target server. This may include inspecting all incoming fragments for fragmentation rule violations.

In addition to providing this front-line inspection of incoming data packets for rule violations, advanced mitigation services will also filter traffic based on factors like rate patterns and IP reputation. This comprehensive mitigation uses blacklist and whitelist mechanisms that make protecting your servers and websites ultra-efficient.

As annoying as it is to have to admit something malicious may also be ingenious, that annoyance will be dwarfed by the satisfaction you’ll feel when you defeat that malevolent ingenuity. Protect yourself from IP fragmentation attacks. May brilliant benevolence always win.

 

 

 

 

Leave a Reply

(required)

(required)


  • TOPICS

     APPLICATION INTEGRATION
     DATA and ANALYTICS 
     DIGITAL HEALTH
     SOCIAL BUSINESS
     MOBILE DATA
     DATA SECURITY
     DATA PRIVACY
     CLOUD DATA
     HR TECHNOLOGY

    • ADVERTISEMENT

    DTX ExCeL London

    WomeninTech






    IT BRIEFCASE MEDIA PARTNERS
    Gartner

    IBC 365

    Gartner

    cloudexpo

    unicom

    tdwi

    World Congress

    Witi

    Broadgroup

    The Open Group

    gsmi

    tmforum