IP packet sharding and restructuring-router sharding attacks

This is related to the IP packet format.

First, let's take a look at the IP packet format:

 

You can go to the Internet to check one of the terms. Here is only the corresponding section about the parts.

During data transmission, if the data length is greater than the configured MTU length, the vro will perform corresponding partitioning operations (for details about how to partition, and how to reorganize and check relevant information by yourself) so that it can be transmitted through a route.

As shown in, a 4000-byte datagram is divided into three parts when MTU is 1420 bytes. Each part is 1400 bytes in length, 1400 bytes can be divisible by 8 bytes.

 

To reduce the number of shards, the length of each shard should be as large as possible. The starting position of the part is represented by the part offset. Except for the last part, the length of other parts (the data part, excluding the IP header) should be divisible by 8. For example, if MTU is 505, the maximum data segment length that can be transmitted except for the 20-byte IP header is 485 bytes, but the maximum integer that can be divisible by 8 and cannot exceed 485 is 480, you need to split the data by 480.

 

You can check the MTU settings in the vro. You can also check how to set MTU on your computer. Baidu MTU

I also found this article on the Internet and posted it for discussion.

Multipart attack

The principle of this attack is: in the IP segment package, all the segment packages use a part offset field to mark the order of the segment package. However, only the first segment contains information about the TCP port number. When an IP shard package uses a group to filter out the firewall, the firewall only determines whether the packet is allowed to pass through the TCP information of the first shard package. Other subsequent shards are not checked by the firewall and pass the packet directly.

In this way, attackers can first send the first valid IP segment to defraud the firewall for detection, and then encapsulate the next packet segment of malicious data to directly penetrate the firewall, directly reach the internal network host, which threatens the security of the network and host.

 

To verify this statement, you must understand the filtering principles of the firewall and the header information of the IP packet.

(View new blog)