Using overlapping IP fragmentation to avoid detection by an IDS has been around for a long time. We know how to solve this problem. The best option in my opinion is to use a tool such as OpenBSD's pf packet filter [1] to scrub our packets eliminating all the fragments (pfSense [2] makes this easy to deploy). However, this option is not without its caveats [3]. You could simply configure your IDS to alert for and/or drop any overlapping fragmented packets. Overlapping fragments should not exist in normal traffic. Another option is to configure the IDS to reassemble the packets the same way the endpoint reassembles them. Snort's frag3 preprocessor will reassemble the packets based on the OS of the target IP and successfully detect any fragmented attacks that would work against a given target host. Problem solved right? There is another opportunity for attackers to use differences in the fragmentation reassembly engines to his advantage. What happens when the IDS analyst turns to their full packet capture to understand the attack? If the analyst's tools reassemble the packets differently than the target OS the analyst may incorrectly dismiss the TRUE positive as a FALSE positive. Today, with the low cost of disk drives, more and more organizations can afford to maintain full packet captures of everything that goes in and out of their network. If you are not running full packet capture, you really should look into it. I don't think there is a better way to understand attacks on your network then having full packet captures. One great option is to install Daemonlogger [4] on the Linux/BSD distribution of your choice. This was an option I used for many years. Today, I use the Security Onion distro [5] by Doug Burks. If you want a free IDS with full packet capture that you can quickly and easily deploy, Security Onion is a great option. Once you have the full packet capture, how do you find the fragmented attacks? You could try reassembling them with Wireshark. Let's check that out and see what happens. Security Onion has scapy installed so let's use that to generate some overlapping fragments. I'll generate the classic overlapped fragment pattern illustrated by the paper “Active Mapping: Resisting NIDS Evasion Without Altering Traffic” by Umesh Shankar and Vern Paxson [6] and then further explained in “Target Based Fragmentation Assembly” by Judy Novak [7]. Now open up our "fragmentpattern.pcap" with Wireshark and see what we see.
Now you can see exactly what the IDS saw and make the correct decision when analyzing your packet captures. If using the Onion isn't an option for you, you can download reassembler.py direct from my SVN http://baggett-scripts.googlecode.com/svn/trunk/reassembler/. How do you handle this? What are some other ways to solve this problem? Leave a comment.
|
Mark 81 Posts ISC Handler May 23rd 2012 |
Thread locked Subscribe |
May 23rd 2012 1 decade ago |
I recently install Open Full Packet Capture (OpenFPC, www.openfpc.org) and have been very happy with it. OpenFPC is a wrapper around DaemonLogger that provides web and cli search and configuration.
|
John 88 Posts |
Quote |
May 23rd 2012 1 decade ago |
I have heard great things about that project and I have been wanting to try it myself. What view of overlapping fragments does it provide to the analyst?
|
Mark 81 Posts ISC Handler |
Quote |
May 23rd 2012 1 decade ago |
"Overlapping fragments should not exist in normal traffic."
Key words being "should not." So many things we see "should not" see, but end up having to create exceptions for. |
Dean 135 Posts |
Quote |
May 23rd 2012 1 decade ago |
We use the following to handle fragmented packets on our Linux firewalls:
iptables -N fragged iptables -A fragged -m limit --limit 2/minute -j LOG --log-prefix "IPT FRAGMENTS: " iptables -A fragged -j DROP iptables -I INPUT -f -j fragged iptables -I FORWARD -f -j fragged |
James 12 Posts |
Quote |
May 23rd 2012 1 decade ago |
Great tool Mark. I agree that it makes sense to allow your firewall reassemble these before passing them on. Nmap has tons of options for testing our your current gear: http://nmap.org/book/man-bypass-firewalls-ids.html
|
James 1 Posts |
Quote |
May 24th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!