Introduction to padding attacks and attack analysis

Introduction to padding attacks and attack analysis
Principles

Fill Attack: A fill attack refers to a network attack that intentionally fills in useless data in the data packet content to consume network bandwidth and system resources.
It is worth noting that data population is often seen in network transmission. For example, we know that the arp protocol field length is 14 + 28 = 42 bytes, and 42 bytes cannot appear in the Ethernet (the Ethernet allows sending bytes to be 64-1518byte ), in order to correctly send arp packets to the Ethernet, 18 bytes are filled, and the 4-byte FCS is exactly 64 bytes. This exactly matches the number of bytes of the Ethernet minimum data packet.

Data filling is also common in some tcp syn data packets and ACK. This type of filling is mainly used to make the data packets meet the Ethernet transmission standard.
Fill attacks mainly consume bandwidth and system resources. Next we will look at two cases of padding attacks. Therefore, the direct phenomenon is that the network is slow, the server CPU utilization is very high, and it is difficult to provide normal services.

Case Analysis

UDP flood attacks are a type of DOS attacks that consume both network bandwidth and system resources. The main characteristics of such attacks are as follows:
The number of UDP sessions is large, which can reach hundreds of thousands in a short time, much larger than that of TCP sessions.

There are many large packets in the network, and the packet size is unbalanced.

In addition, a large number of clearly filled data packets can be seen in the data packets section.

In addition, data packets are generated in many parts to create a large amount of traffic.


As we can see, data packets with ID 0x2D44 are divided into two parts for transmission. In addition, the multipart package has no transport layer information.
UDP flood also has a type of attacks with a small amount of data to consume system resources. By requesting a random UDP port of the attacked host, according to The UDP design rules, the system will send back the icmp port inaccessible information. We can see that each UDP request has an ICMP port inaccessible error.

We can see that the UDP request is only filled with a minimum of 18 bytes, which is in line with the Ethernet packet sending rule. Sending packets takes less time, which is conducive to sending a large number of packets. We can see that more than 4000 UDP packets are sent within one second.
For every UDP request, the system will make an error that is inaccessible to the port.

The padding attack can not only appear in UDP, but also be exploited by ICMP and TCP. No matter what protocol is used for attacks, the most important thing is that there are a large number of useless bytes in the data packets, and the data packets are neat.
The defense against padding attacks mainly involves filtering some fragments in the firewall and sending large amounts of repeated data.