rfc1858.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 564 行 · 第 1/2 页
TXT
564 行
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
RFC 815 outlines an improved datagram reassembly algorithm, but it
concerns itself primarily with filling gaps during the reassembly
process. This RFC remains mute on the issue of overlapping
fragments.
Thus, fully-compliant IP implementations are not guaranteed to be
immune to overlapping-fragment attacks. The 4.3 BSD reassembly
implementation takes care to avoid these attacks by forcing data from
lower-offset fragments to take precedence over data from higher-
offset fragments. However, not all IP implementations are based on
the original BSD code, and it is likely that some of them are
vulnerable.
4.1 Example of the Overlapping Fragment Attack
In this example, fragments are large enough to satisfy the minimum
size requirements described in the previous section. The filter
is configured to drop TCP connection request packets.
The first fragment contains values, e.g., SYN=0, ACK=1, that
enable it to pass through the filter unharmed.
The second fragment, with a fragment offset of eight octets,
contains TCP Flags that differ from those given in the first
fragment, e.g., SYN=1, ACK=0. Since this second fragment is not a
0-offset fragment, it will not be checked, and it, too will pass
through the filter.
The receiving host, if it conforms fully to the algorithms given
in RFC 791, will reconstitute the packet as a connection request
because the "bad" data arrived later.
Ziemba, Reed & Traina Informational [Page 6]
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
FRAGMENT 1
IP HEADER
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
| | ... | Fragment Offset = 0 | ... | |
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
TCP HEADER
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.
.
.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (Other data) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
FRAGMENT 2
IP HEADER
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
| | ... | Fragment Offset = 1 | ... | |
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
TCP HEADER
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.
.
.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (Other data) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ziemba, Reed & Traina Informational [Page 7]
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
If the receiving host has a reassembly algorithm that prevents new
data from overwriting data received previously, we can send
Fragment 2 first, followed by Fragment 1, and accomplish the same
successful attack.
4.2 Prevention of the Overlapping Fragment Attack
Since no standard requires that an overlap-safe reassembly
algorithm be used, the potential vulnerability of hosts to this
attack is quite large.
By adopting a better strategy in a router's IP filtering code, one
can be assured of blocking this "attack". If the router's
filtering module enforces a minimum fragment offset for fragments
that have non-zero offsets, it can prevent overlaps in filter
parameter regions of the transport headers.
In the case of TCP, this minimum is sixteen octets, to ensure that
the TCP flags field is never contained in a non-zero-offset
fragment. If a TCP fragment has FO==1, it should be discarded
because it starts only eight octets into the transport header.
Conveniently, dropping FO==1 fragments also protects against the
tiny fragment attack, as discussed earlier.
RFC 791 demands that an IP stack must be capable of passing an 8
byte IP data payload without further fragmentation (fragments sit
on 8 byte boundaries). Since an IP header can be up to 60 bytes
long (including options), this means that the minimum MTU on a
link should be 68 bytes.
A typical IP header is only 20 bytes long and can therefore carry
48 bytes of data. No one in the real world should EVER be
generating a TCP packet with FO=1, as it would require both that a
previous system fragmenting IP data down to the 8 byte minimum and
a 60 byte IP header.
A general algorithm, then, for ensuring that filters work in the
face of both the tiny fragment attack and the overlapping fragment
attack is:
IF FO=1 and PROTOCOL=TCP then
DROP PACKET
If filtering based on fields in other transport protocol headers
is provided in a router, the minimum could be greater, depending
on the position of those fields in the header. In particular, if
filtering is permitted on data beyond the sixteenth octet of the
transport header, either because of a flexible user interface or
Ziemba, Reed & Traina Informational [Page 8]
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
the implementation of filters for some new transport protocol,
dropping packets with FO==1 might not be sufficient.
5. Security Considerations
This memo is concerned entirely with the security implications of
filtering fragmented IP packets.
6. Acknowledgements
The attack scenarios described above grew from discussions that took
place on the firewalls mailing list during May of 1995. Participants
included: Darren Reed <avalon@coombs.anu.edu.au>, Tom Fitzgerald
<fitz@wang.com>, and Paul Traina <pst@cisco.com>.
7. References
[1] Mogul, J., "Simple and Flexible Datagram Access Controls for
Unix-based Gateways", Digital Equipment Corporation, March 1989.
[2] Postel, J., Editor, "Internet Protocol - DARPA Internet Program
Protocol Specification", STD 5, RFC 791, USC/Information Sciences
Institute, September 1981.
[3] Postel, J., Editor, "Transmission Control Protocol - DARPA
Internet Program Protocol Specification", STD 7, RFC 793,
USC/Information Sciences Institute, September 1981.
[4] Clark, D., "IP Datagram Reassembly Algorithms", RFC 815, MIT
Laboratory for Computer Science/Computer Systems and
Communications Group, July 1982.
Ziemba, Reed & Traina Informational [Page 9]
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
Authors' Addresses
G. Paul Ziemba
Alantec
2115 O'Nel Drive
San Jose, CA 95131
EMail: paul@alantec.com
Darren Reed
Cybersource
1275A Malvern Rd
Melbourne, Vic 3144
Australia
EMail: darrenr@cyber.com.au
Paul Traina
cisco Systems, Inc.
170 W. Tasman Dr.
San Jose, CA 95028
EMail: pst@cisco.com
Ziemba, Reed & Traina Informational [Page 10]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?