***********************************************************************ADVISORY: TCP packet fragment attacks against firewalls and filters  System: TCP/IP networks    Source: http://all.net, Dr. Frederick B. Cohen***********************************************************************Packet Fragmentation AttacksIntroduction to Packet FragmentationPacket fragmentation is the part of the Internet Protocol (IP) suite ofnetworking protocols that assures that IP datagrams can flow through anyother sort of network. (For details, see Internet Request For Comments 791(rfc791) and are available and searchable in electronic form from Info-Secheaven on the World-Wide-Web at http://all.net, through gopher service atall.net, or by ftp service from rs.internic.net.) Fragmentation works byallowing datagrams created as a single packet to be split into many smallerpackets for transmission and reassembled at the receiving host.Packet fragmentation is necessary because underlying the IP protocol, otherphysical and or logical protocols are used to transport packets throughnetworks. A good example of this phenomena is on the difference betweenEthernet packets (which are limited to 1024 bytes), ATM packets (which arelimited to 56 bytes), and IP packets which have variable sizes up to about1/2 million bytes in length.The only exception to this rule is in the case of an internet datagrammarked don't fragment . Any internet datagram marked in this way issupposed to not be fragmented under any circumstances. If internetdatagrams marked don't fragment cannot be delivered to their destinationwithout being fragmented, they are supposed to be discarded instead. Ofcourse, this rule doesn't have to be obeyed by the IP software actuallyprocessing packets, but it is supposed to be.How Packet Reassembly Attacks WorkThe packet fragmentation mechanism leads to attacks that bypass manycurrent Internet firewalls, but the reason these attacks work is notbecause of the way fragmentation is done, but rather because of the waydatagrams are reassembled.Datagrams are supposed to be fragmented into packets that leave the headerportion of the packet intact except for the modification of the fragmentedpacket bit and the filling in of an offset field in the IP header thatindicates at which byte in the whole datagram the current packet issupposed to start. In reassembly, the IP reassembler creates a temporarypacket with the fragmented part of the datagram in place and adds incomingfragments by placing their data fields at the specified offsets within thedatagram being reassembled. Once the whole datagram is reassembled, it isprocessed as if it came in as a single packet.According to the IP specification, fragmented packets are to be reassembledat the receiving host. This presumably means that they are not supposed tobe reassembled at intermediate sites such as firewalls or routers. Thisdecision was made presumably to prevent repeated reassembly andrefragmentation in intermediate networks. When routers and firewallsfollowed the rules, they found a peculiar problem.The way firewalls and routers block specific services (such as telnet )while allowing other services (such as the world wide web http service) isby looking into the IP packet to determine which Transfer Control Protocol(TCP) port is being used. If the port corresponds to 80, the datagram isdestined for http service, while port 23 is used for telnet . In normaldatagrams, this works fine. But suppose we didn't follow the rules forfragmentation and created improper fragmented packets? Here's what oneattacker did:   *  Create an initial packet which claims to be the first fragment of a     multi-packet datagram. Specify TCP port 80 in the TCP header so it     looks like a datagram going to http service, which is allowed to pass     the firewall.   *  The firewall passes the packet to the host under attack and passes     subsequent packet fragments in order to allow the destination host to     reassemble the packet.   *  One of the subsequent packets has an offset of 0 which causes the     reassembler to overwrite the initial part of the IP packet. This is     the part of the IP packet that specifies the TCP port. The attacker     overwrites the IP port number which was originally 80 with a new port     number such as 23, and is now granted telnet access to the host under     attack despite the firewall that is supposed to block the service.