First page Back Continue Last page Summary Graphics
Tiny fragment attack
- Fragments are rarely reassembled until the final destination
- Craft fragments so the source and destination ports or ICMP codes are in the second fragment - bypassing the firewall filters
- Also useful in stealth port scans
Fragment overlap attack
- Fragment 1 is constructed to go to an allowed service
- Fragment 2 overwrites the original ports and connects to a disallowed service on reassembly
- Denial of Service - Teardrop
Different underlying networks (e.g. Ethernet, ATM, Token Ring) define different limits on the size of a frame. As a packet is passed on from one router to the next along the path from the source machine to the destination machine, network gateway routers may need to cut the packet up into smaller pieces, called fragments, before passing them on to a new network. The first fragment normally contains the TCP or UDP header with the usual source and destination port numbers. The following fragments do not. (The IP and transport headers are rarely more than 40 bytes long.)
Once a packet is fragmented, intermediate routers don't reassemble the packet. The fragments are reassembled at either the final router or at the destination host.
Header length: number of 32-bit words in the header.
Datagram length: length in bytes of the total datagram, including the header, when the packet is fully assembled, i.e. Not fragmented. Maximum packet length is 65,535 bytes.
Fragment offset: number of 8-byte blocks this fragment is from the start of the original datagram.