Implementation of IPV6 fragment recombination in intrusion detection system

Source: Internet
Author: User

Web technology drives the Internet to develop at an alarming rate. 10 years ago, people who were concerned about the future expansion of the Internet began to worry that the limitations of the IPV4 network would be difficult to support the sustainable development of the Internet. To this end, the IETF launched a new generation of Internet Protocol--ipv6. Compared with IPV4, IPV6 offers a number of new features, such as address space extensions, security settings, and automatic configuration.

The development of IPV6 has been supported by many equipment manufacturers and even raised to the national level to carry out research and deployment based on IPV6. The United States Department of Defense's IPV6 deployment schedule shows: 2005-2007, IPv6 and IPv4 agreed to run together, 2008 to achieve the United States comprehensive IPV6 plan. Europe and Japan, South Korea in the IPv6 related fields also launched a large number of research, a variety of experimental networks and pilot commercial IPV6 network have opened. 200 陴 March, the first next generation Internet backbone network--cernet2 officially opened and provided services, becoming the world's largest IPV6 national backbone network.

With the gradual popularization of IPv6, the security of the next generation of Internet is also mentioned on the agenda. This project is being carried out on the basis of this consideration. Commissioned by the National Computer Network and Information Security Center, this project is mainly based on IPV6 backbone network intrusion detection technology research, for the IPV6 era of national computer network information security research to make technical reserves.

This paper will discuss the representation of IP fragment attack in IPv6, IPv6 fragment reorganization mechanism and how to prevent IPv6 fragment attack.

The representation of IP fragment attack in IPV6

In general, all fragmentation attacks under IPV4 can be reproduced in IPv6, but differ in the specific mechanism of implementation.

When the IP packet that needs to be transmitted exceeds the Maximum Transmission Unit (MTU) that the link can support, a raw IP packet is split into multiple fragmented packets, and a fragment package is reorganized by the destination node after the packet belonging to the same original IP packet arrives at the destination node. Unlike IPv4, the IPV6 fragment operation can only be performed at the source node, while the former is also available on intermediate nodes (such as intermediate routers) along the way. IP fragment packets can be forwarded independently through different paths, and the order of the destination nodes may not necessarily maintain the order of departure from the source node. Because the target system can complete the reorganization of IP fragment packets, the network intrusion detection system must have the ability to reorganize the IP fragmentation data packet, otherwise it will not detect the attacking data of the protected network through IP slicing way correctly.

The representation of IP fragment attack under IPV6 is similar to that under IPV4. The first is an attacker deliberately disrupting the order in which the IP fragment packets arrive at the destination node. If the intrusion detection system thinks that the IP fragment packets always arrive strictly in the order of fragmentation, the sequence of each slice can not be correctly identified in the process of reorganization, which will result in the omission of the attack data.

Secondly, the problem of the buffer processing mechanism of the fragment packet. Before all fragmented packets belonging to the same original IP packet are aligned, the intrusion detection system must put all the previously arrived fragment packets into a buffer. The fragment attack aircraft may by intentionally not send the same original IP data packet's one fragment package or intentionally sends the multiple fragment package, causes the intrusion detection system the IP Fragment reorganization module because consumes all memory to omit attacks the data to even crash.

The third situation is the IP fragmentation packet overlap problem, which is also the most difficult to deal with a problem. In both IPV4 and IPV6 networks, a fragment packet has a domain similar to the fragment offset (fragment offset) that marks the offset of each fragmented packet in the original packet, and the intentional construction of the wrong fragment packet offsets can cause fragmentation packets to overlap. The first strategy to solve this problem is to keep the late-arriving fragment packets intact, so that the late-arriving fragment packets cover the overlapping areas of the fragments in advance; the second strategy is to keep the early-arriving fragment packets intact, and only partially use the piecewise packet data to eliminate overlap. Different system hosts and different intrusion detection systems may adopt different trade-offs. The direct consequence of overlap is to make intrusion detection system fall into the dilemma of before or after taking. Because no matter what strategy to adopt, it is possible that the intrusion detection system can cause the attack data to be omitted because of the different discarding strategy with the host of the protected network.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.