Fragmentation considered vulnerable: Blindly intercepting and discarding fragments

Yossi Gilad; Amir Herzberg

Fragmentation considered vulnerable: Blindly intercepting and discarding fragments

Yossi Gilad
, Amir Herzberg

Research output: Contribution to conference › Paper › peer-review

23 Scopus citations

Abstract

We show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94% loss rate and intercepting more than 80% of data between peers. All attacks are practical, and validated experimentally on popular industrial and open-source products, with realistic network setups (involving NAT or tunneling). The interception attack requires a zombie behind the same NAT or tunnel-gateway as the victim destination; the other attacks only require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the predictability of the IP Identifier (ID) field and are simpler for implementations, e.g. Windows, which use globally-incrementing IP IDs. Most of our effort went into extending the attacks for implementations, e.g. Linux, which use per-destination-incrementing IP IDs.

Original language	English
State	Published - 2011
Externally published	Yes
Event	5th USENIX Workshop on Offensive Technologies, WOOT 2011, Held in Conjunction with the 20th USENIX Security Symposium, USENIX Security 2011 - San Francisco, United States Duration: 8 Aug 2011 → 8 Aug 2011

Conference

Conference	5th USENIX Workshop on Offensive Technologies, WOOT 2011, Held in Conjunction with the 20th USENIX Security Symposium, USENIX Security 2011
Country/Territory	United States
City	San Francisco
Period	8/08/11 → 8/08/11

Bibliographical note

Publisher Copyright:
© 2011 USENIX Association. All rights reserved.

Cite this

@conference{6df25bda9e8f4cbd8b36ce46c67211ae,

title = "Fragmentation considered vulnerable: Blindly intercepting and discarding fragments",

abstract = "We show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94\% loss rate and intercepting more than 80\% of data between peers. All attacks are practical, and validated experimentally on popular industrial and open-source products, with realistic network setups (involving NAT or tunneling). The interception attack requires a zombie behind the same NAT or tunnel-gateway as the victim destination; the other attacks only require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the predictability of the IP Identifier (ID) field and are simpler for implementations, e.g. Windows, which use globally-incrementing IP IDs. Most of our effort went into extending the attacks for implementations, e.g. Linux, which use per-destination-incrementing IP IDs.",

author = "Yossi Gilad and Amir Herzberg",

note = "Publisher Copyright: {\textcopyright} 2011 USENIX Association. All rights reserved.; 5th USENIX Workshop on Offensive Technologies, WOOT 2011, Held in Conjunction with the 20th USENIX Security Symposium, USENIX Security 2011 ; Conference date: 08-08-2011 Through 08-08-2011",

year = "2011",

language = "אנגלית",

}

Fragmentation considered vulnerable: Blindly intercepting and discarding fragments. / Gilad, Yossi; Herzberg, Amir.
2011. Paper presented at 5th USENIX Workshop on Offensive Technologies, WOOT 2011, Held in Conjunction with the 20th USENIX Security Symposium, USENIX Security 2011, San Francisco, United States.

Research output: Contribution to conference › Paper › peer-review

TY - CONF

T1 - Fragmentation considered vulnerable

T2 - 5th USENIX Workshop on Offensive Technologies, WOOT 2011, Held in Conjunction with the 20th USENIX Security Symposium, USENIX Security 2011

AU - Gilad, Yossi

AU - Herzberg, Amir

PY - 2011

Y1 - 2011

N2 - We show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94% loss rate and intercepting more than 80% of data between peers. All attacks are practical, and validated experimentally on popular industrial and open-source products, with realistic network setups (involving NAT or tunneling). The interception attack requires a zombie behind the same NAT or tunnel-gateway as the victim destination; the other attacks only require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the predictability of the IP Identifier (ID) field and are simpler for implementations, e.g. Windows, which use globally-incrementing IP IDs. Most of our effort went into extending the attacks for implementations, e.g. Linux, which use per-destination-incrementing IP IDs.

AB - We show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94% loss rate and intercepting more than 80% of data between peers. All attacks are practical, and validated experimentally on popular industrial and open-source products, with realistic network setups (involving NAT or tunneling). The interception attack requires a zombie behind the same NAT or tunnel-gateway as the victim destination; the other attacks only require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the predictability of the IP Identifier (ID) field and are simpler for implementations, e.g. Windows, which use globally-incrementing IP IDs. Most of our effort went into extending the attacks for implementations, e.g. Linux, which use per-destination-incrementing IP IDs.

UR - https://www.scopus.com/pages/publications/85084164500

M3 - ???researchoutput.researchoutputtypes.contributiontoconference.paper???

AN - SCOPUS:85084164500

Y2 - 8 August 2011 through 8 August 2011

ER -

Fragmentation considered vulnerable: Blindly intercepting and discarding fragments

Abstract

Conference

Bibliographical note

Other files and links

Fingerprint

Cite this