Breaking up the Attack
First Published: X-Force Monthly Magazine

For several years now, some of the more advanced commercial penetration testing tools have made use of packet fragmentation techniques to obfuscate vulnerability checks or exploit attempts in an attempt to bypass legacy firewall and intrusion detection systems.  In most cases, depending upon the actual security device defending the network, there are typically multiple fragmentation techniques and packet size combinations capable of squeezing exploit material past each class of protection device on a network.

 As customers continue to deploy and rely upon ever more advanced intrusion prevention systems which automatically block malicious attacks, there has been an increase in testing requirements to use tools that employ a diverse array of fragmentation techniques.  By making use of multiple packet fragmentation techniques, the security consultant is not only able to test the security of the targeted host, but also the robustness of the network-based protection system.

 Depending upon the networking protocol being used by the vulnerable service under investigation, there are specific fragmentation techniques which are more successful than others.  For example, the technique of overlapping packet fragments so that subsequent packets overwrite a few bytes of the previous packet tend to be effective for text based protocols such as HTTP.  However, by using tools that provide additional obfuscation techniques in combination to fragmentation (e.g. using chunked encoding within a HTTP POST packet), the security consultant has a higher probability of remaining undetected and delivering an exploit payload.  In fact the combination of overlapping packet fragments and chunked encoding is such a successful combination for delivering a payload to web server that it will bypass many current generation network protection systems.

 In the past many penetration testing clients have been surprised to learn that these fragmentation techniques can be used so successfully to bypass their network security.  The process of reassembling fragmented packets and identifying their malicious payloads can be very difficult, as well as dangerous for the protection device, as evidenced by the numerous security alerts published on mailing lists such as Bugtraq and Full-disclosure.  Protection systems that rely upon string matching and regular expression engines tend to suffer the most, and a re consequently the easiest to defeat. 

 From a penetration testers perspective the adage “fragmentation is my friend” is quite appropriate.  In several tests not only could fragmentation be used to slip exploit payloads past perimeter defenses, but it could also be used tunnel data and banned network traffic out of the organization – for example, accessing external instant messenger services and transferring files.

 While there have been a number of open-source or free attack tools specializing in the use of packet fragmentation for many years, and there have been some “boutique” commercial penetration tools for the last few years, many of the new tools used by attackers provide packet fragmentation as standard and can be tuned just by selecting a few tick-boxes.

 Therefore it is becoming increasingly important that organizations correctly identify network traffic that utilizes packet fragmentation to hide attacks, and that their protection systems are “up to the job”.  With the near ubiquitous deployment of network detection systems, not only are malicious attackers utilizing packet fragmentation to obfuscate their attacks, but several automated worms and bots now also come fully equipped with an array of fragmentation routines ready for use.

 The expectation is that specialist packet fragmentation techniques will become more prevalent and be included by default in most tools or applications.  Consequently security professionals will increasingly need to understand the different techniques and be capable of not only detecting their usage, but also regularly employ them in testing their network defenses.

    Copyright 2001-2007 © Gunter Ollmann