Network Congestion of a company-IP Fragment attack

1. fault description:

According to the company's internal staff: Company B's Internet access is very slow, and the network speed is very slow. Company A's monitoring equipment has A warning that the traffic from Company B is too large.

2. network topology:

Company A's situation is unknown. Only optical fiber access, firewall, and monitoring equipment are known.

Company B pulls A root fiber from Company A and shares the Internet via A dual Nic server. The NIC outside the server has A public IP address.

3. Preliminary judgment:

Company B's network is not big. There are about 20 machines. through sharing the Internet via the server, we found that we can use the traffic analysis software to capture packets on the server for analysis.

The traffic is too high. In general, someone is downloading things, which may be caused by virus attacks or malicious attacks.

4. Detailed analysis:

(1) During diagnosis, too many TCP connections are reset and TCP retransmission data packets may be downloaded or caused by viruses. For details, see:

(2) Go on to the "endpoint" column and find that there is an abnormal machine with IP address 192.168.0.66 on the local host. The traffic is too high. It may take about 20 minutes, the Traffic reaches 1.5 GB and is basically sent packets,

(3) Now we can basically conclude that the IP address is 192.168.0.66, the maximum traffic of the protocol named "IP Fragment" is found,

(4) continue reading the "session" column and find that there are 1152290 packets sent from machines with the MAC address: 00: 13: A9: 29: 97: 0F (192.168.0.66, traffic per second is 1.5 MB.

(5) Check the Matrix. Because there are too many nodes, you can create a "display option": click "add" in "display options"-select 20 from the maximum number-click "OK. After analyzing the selected 20 nodes, we found that the traffic of machines with IP address 192.168.0.66 is large, and the number of connections with IP address 192.168.0.194 is large.

(6) In the "data packet" column, I usually seldom look at it when troubleshooting. Because there are too many data packets, after finding a specific host, next, we will analyze the data packets of this host separately. We will mainly look at the structure and principles of these data packets. We will learn more about these data packets.

(7) The "Log" column is rarely used in the analysis of troubleshooting, but sometimes it is used a lot, such as when playing a song. Pai_^

(8) In the "chart" column, you can also find information about the current network, including utilization. But it should be noted that, if you capture packets too long, you must select the corresponding interval in the "interval" item. For example, if you capture a packet for 30 minutes, you can select a 60-second interval to view all the information,

 

The packet capture time is about 20 minutes. This is when the interval is set to 1 second. The chart cannot send relevant information intuitively.

This is when I select a 30-second interval, the chart can intuitively reflect the relevant information.

(9) This is very useful in the "Report" column. Especially for traffic-heavy faults, click "10 local IP addresses with the maximum traffic". Obviously, the maximum traffic of machines with IP address 66. Related information appears:

You can also check other 10 physical addresses and remote addresses with the highest traffic.

5. troubleshooting

OK. After checking the relevant information, you have to troubleshoot the problem. The target IP address is 192.168.0.66. There are multiple methods. I usually use the following methods:

(1) Check the switch data lamp and pull it out. Then someone will say something, And my network is disconnected. Haha, it's you. This is a method I often use, but I did not use this method in this fault, because the switch is stuck in the middle of the air, and there is no ladder, and it is not necessary to fold the chair and climb it up, if I accidentally fell down, forget it. I'm not married yet!

(2) one query, provided that you cannot miss one. It's troublesome. I won't do it anyway.

(3) I will not talk about ARP attacks against individual machines, their principles, and how to use them. I would like to know more about the articles on the Forum and use kelai for more use. I used this method this time, but unfortunately! There are two fatal weaknesses in this case. If someone has installed the arpfirewall or someone else is not on the computer, it will be useless to wait until the flowers are done. Unfortunately, I met all of them.

(4) Finally, I used the second step to launch N people, and more than 20 computers quickly.

(5) I will not talk about how to kill the virus. I use NOD32 Green Edition and WIN PE plus autoruns and 360 security guard. I have no idea which caused the removal of N-plus Trojans.

(6) I also found that the number of connections to machines whose IP address is 192.168.0.194 is large. For security reasons, I also checked it and found that he was not going to check it, it is normal to enable more than 100 connections of thunder.

6. Summary

I personally think this attack should be an attack. The target is not Company A or company B, but A zombie caught in Company B and A vicious attack on IP address 38.100.174.196, the attack type should be IP Fragment attacks.

7. Learn about the IP Fragment attack in this case:

IP fragmentation is a common technical method used to transmit IP packets over the network, but there are some security risks. Ping of Death, teardrop, and other attacks may cause some systems to crash or restart during the reorganization of IP segments. Recently, some IP segment attacks are not only used for DoS attacks, but also often used to avoid firewalls or network intrusion detection systems. Some routers or network-based Intrusion Detection Systems (NIDS) cannot perform normal filtering or detection due to the lack of IP segment reorganization capabilities. In this article, we will start with the introduction of the basic concepts of IP sharding, and discuss in detail some methods used by the IP sharding-based attacks and the roundabout intrusion detection system.

When transmitting data packets, the IP Protocol divides the data packets into several parts for transmission and reorganizes them in the target system. This process is called fragmentation ). Fragmentation occurs when the IP packet size to be transmitted exceeds the Maximum Transmission Unit (MTU. For example, in an Ethernet environment, the maximum IP packet size (MTU) can be transmitted is 1500 bytes. (The length is 1500 bytes)

If the size of the packet to be transmitted exceeds 1500 bytes, the packet must be transmitted after partitioning. It can be seen that IP fragmentation is a frequent event in the network environment. However, a segment that is maliciously operated by humans may cause denial-of-service attacks or a method of attacking routers, firewalls, or network intrusion detection systems (NIDS.

To properly reassemble the packets after they reach the target host, each shard packet has the following information:

* Each IP segment is reorganized based on the IP segment identification number, and the same identification number is reorganized into the same IP packet. The length of the IP part identification number is 16 bits, which are called "IP identification number" or "fragm