Fragmentation occurs if the IP must send a datagram that is large than is allowed by the receive window in the network layer. This process will break up a datagram into smaller packets and then it will be restored when received by the other end. This is a normal and very important process. Each packet is marked with a length, an offset and a more bit.
Length = Total length of the fragment
Offset - distance from the beginning of the original datagram
More bit = used to determine if there are other packets after that one. 1 indicates there is another packet which is part of that set. 0 indicates it is the last packet of the set.
|
IPID = 043C Length = 3,600 Offset = 0 |
Fragmented (Normal)
| More = 1 Len = 1,000 Offset = 0 |
|||
| More = 1 Len = 1,000 Offset = 1,000 |
|||
| More = 1 Len = 1,000 Offset = 2,000 |
|||
| More = 0 Len = 600 Offset = 3,000 |
When the packets are manipulated so that they overlap (shown below) instead of following in order one after another (above) it can crash the computer. The teardrop attack is a good example of an exploit that will overlap packets. The packets can also be manipulated so that instead of overlapping, there is too much space between them as well.
Overlapping Fragment Attack
| More = 1 Len = 1,000 Offset = 0 |
||||
| More = 1 Len = 1,000 Offset = 500 |
||||
| More = 0 Len = 1,000 Offset = 1,500 |
||||
Search: Cosmos | BlogPulse
Submit: Digg This | Shout this! | Slashdot
Bookmark: Del.icio.us | Furl It | Spurl | Tag!RawSugar | Simpy This! | Shadows Tag! | Blink It | My Web
GirlGeekteete dotNet Tags: fragmentation, datagram, packet, IP, teardrop, exploit, IP
Technorati Tags: fragmentation, datagram, packet, IP, teardrop, exploit, IP
No Comments »
