Packet filtering seems simple enough on the surface, but unless you understand what is happening inside the router or firewall, you may miss a gigantic hole in your perimeter defenses. For example, your system is slowing down. You have a firewall or filtering router configured to block junk packets that you tested and determined is working fine. So why does your router or firewall appear to be swamped with junk packets?
The problem may be datagram fragmentation. Datagram fragmentation occurs when data packets larger than the maximum length a particular system can handle are routed over a network. For example, the maximum transmission unit (MTU) for a particular system may be 1,500 bytes (Ethernet). If a 4,000-byte packet has to pass through the system, it must first be broken down into smaller pieces, which are eventually reassembled at the destination. This can happen multiple times as a large data packet transverses the Internet and passes through systems with different capabilities.
If your filtering device does not store and reassemble datagram fragments, it will block the initial fragment containing the offending protocol header but will pass all the remaining fragments. By the time the remaining fragments arrive, it will have "forgotten" the state of the initial fragment header. Also, because we are dealing with the Internet, the fragments may have come from different paths, and the initial fragment may not be the first to arrive. In any case, you end up with massive numbers of fragments, all without their initial header fragment. When this is simply the byproduct of normal fragmentation, the router will time out without clogging up your system. Unfortunately, you might not be dealing with this kind of “innocent” fragmentation.
Hackers compensate for your packet filter by routing packets to your system using standard protocols. For example, their malicious packet will have the standard Internet Protocol (IP) header of 20 bytes. The packets they send are large enough to cause datagram fragmentation. The IP header is cloned, but other important information, such as Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP) headers, are not attached to each of the fragments.
IP is not a reliable transport protocol, and you can easily end up with incomplete datagram fragments. An innocent fragment won’t clog your system, because the router will just time out. However, a hacker can use several tricks to fool the router to prevent it from timing out. So you need to be on the lookout to determine whether fragment traffic constitutes an attack or is just network "noise.”
About the only real defense against malicious packets is to avoid using stateless packet filtering devices. However, that is going to be expensive, and not every IT budget can afford it. In a future column, I will go into more detail about malicious fragmentation and suggest ways you might be able to determine if a flood of suspicious fragments is part of an attack or just an accident.
Have a comment?
If you'd like to share your opinion, start a discussion below or send the editor an e-mail.