Re: block CodeRed/Nimda at the firewall?

From: RainbowHat (nHiATlE_at_blSackholeP.mAit.edMu.invalid)
Date: 05/17/03


Date: Sat, 17 May 2003 11:06:52 +0000 (UTC)


< D. Stussy
>On Fri, 16 May 2003, RainbowHat wrote:
>> < D. Stussy

>> >1) UDP packets cannot be fragmented. Only TCP packets can.
>> Wrong. All IP packets can be fragmented.
>Not at the protocol level. IP is one level removed from that.

Here are some of the collections in my packets museum (Time is +0900
synchronized stratum 2 NTP server, IP address is sanitized by me).
This is a specimen of bugtraq worm UDP fragmented packets that I've
gathered in the wild last year (2002/10/20).

16:12:33.178613 ip: X.147.Y.26.2001 > MY.IP.178.150.1024: udp 2652
 (frag 52443:1480@0+) (ttl 45)
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 52443 | | |M| Fragment Offset = 0 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | TTL=45 | Protocol = 17 | Header Checksum = 14446 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
16:12:33.548613 ip: X.147.Y.26 > MY.IP.178.150:
 (frag 52443:1180@1480) (ttl 45)
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1200 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 52443 | | | | Fragment Offset = 185 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | TTL=45 | Protocol = 17 | Header Checksum = 22753 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Here is a sample of cinik worm UDP fragmented packets (2002/10/22).
This is very interesting that DF flag was set and fragmented.

15:50:54.623229 ip: X.30.Y.188 > MY.IP.71.57:
 (frag 8707:1356@1480) (ttl 52)
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1376 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 8707 | |D| | Fragment Offset = 185 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | TTL=52 | Protocol = 17 | Header Checksum = 50412 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
15:50:55.063229 ip: X.30.Y.188.1812 > MY.IP.71.57.1024: udp 2828
 (frag 8707:1480@0+) (ttl 52)
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 8707 | |D|M| Fragment Offset = 0 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | TTL=52 | Protocol = 17 | Header Checksum = 42281 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Not in the wild but you can experiment in your local laboratory using
`nmap|hping2|etc.` with UDP tiny IP fragment option or `fragroute`
with UDP/IP fragment.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7


Relevant Pages

  • Re: Fwd: [IPv4 fragmentation --> The Rose Attack]
    ... Which limits such an attack to 800 packets overall and 16 fragments ... The first fragment is the ... > dropped at high packet rates if there aren't enough buffers allocated. ...
    (freebsd-net)
  • Re: [PATCH 00/28] Swap over NFS -v16
    ... To do so we need to distinguish needed from unneeded packets; ... our state must not consume memory, ... a/ in caches, such as the fragment cache and the route cache ...
    (Linux-Kernel)
  • RE: [Full-Disclosure] A new TCP/IP blind data injection technique ?
    ... > fragmented packets and there is NO option to change this. ... > firewall or connecting to any services out side the firewall with the ... The Cisco Pix has an IP fragment database. ... The information contained in this email and any attachments is ...
    (Full-Disclosure)
  • fragmentation problem in FreeBSD 7
    ... tries to pass TCP packets back and forth using nc on computers A and C ... TCP frames that don't need fragmentation, but when B has to fragment the IP ... packets before sending them out the em, the IP header checksums in the IP ... when it does software IP checksum computation, so the mbuf still looks like ...
    (freebsd-net)
  • Re: Kerio 2.1.5 vulnerability
    ... > |> So it seems any packet with the fragment bit set goes straight through ... > |> the firewall, and kerio only logs plain SYN packets. ... Nice one Kerio. ...
    (comp.security.firewalls)