This document provides an overview of attacking IPv6 implementations using fragmentation. It begins with background on fragmentation in IPv4 and IPv6. The presenter then examines fragmentation issues in popular OS implementations through examples. Target OSes include Ubuntu, FreeBSD, OpenBSD and Windows. Small fragments and overlapping fragments are demonstrated. The document discusses the security implications of these attacks, such as firewall evasion. It also covers different reassembly policies using the Paxson/Shankar model of fragmentation. The overall summary is that fragmentation can be used to bypass security controls by manipulating the packet payload across fragments.
Using Rook to Manage Kubernetes Storage with CephCloudOps2005
Moh Ahmed and Raymond Maika presented 'Using Rook to Manage Kubernetes Storage with Ceph' at Montreal's first Cloud Native Day, which took place on June 11 in Montreal.
This is the user manual of Veepeak OBDCheck VP39.
>> READ MORE: https://www.obdadvisor.com/best-veepeak-obd2-scanner-review/
Here is a detailed review of the Veepeak adapters based on my own experience, including:
- Compatibility
- Features and Functions
- Pros and Cons
Check it out to get the REVIEW and some NOTES about using the scanner.
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
The Network Service Orchestrator (NSO) is a multi-vendor network orchestrator developed by Tail-f, a recent Cisco acquisition in the area of network management and orchestration. This 4hs session will give an introduction to the NCS system and show hands-on the tool and its different interfaces: network-wide CLI, REST API, etc. Participants will also create one basic network services models using the YANG language.
Using Rook to Manage Kubernetes Storage with CephCloudOps2005
Moh Ahmed and Raymond Maika presented 'Using Rook to Manage Kubernetes Storage with Ceph' at Montreal's first Cloud Native Day, which took place on June 11 in Montreal.
This is the user manual of Veepeak OBDCheck VP39.
>> READ MORE: https://www.obdadvisor.com/best-veepeak-obd2-scanner-review/
Here is a detailed review of the Veepeak adapters based on my own experience, including:
- Compatibility
- Features and Functions
- Pros and Cons
Check it out to get the REVIEW and some NOTES about using the scanner.
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
The Network Service Orchestrator (NSO) is a multi-vendor network orchestrator developed by Tail-f, a recent Cisco acquisition in the area of network management and orchestration. This 4hs session will give an introduction to the NCS system and show hands-on the tool and its different interfaces: network-wide CLI, REST API, etc. Participants will also create one basic network services models using the YANG language.
Cisco StackWise technology provides an innovative new method for collectively utilizing the capabilities of a stack of switches. Individual switches intelligently join to create a single switching unit with a 32-Gbps switching stack interconnect. Configuration and routing information is shared by every switch in the stack, creating a single switching unit. Switches can be added to and deleted from a working stack without affecting performance.
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga
Talk by: Thomas Gelf
While the Icinga Director is the main configuration tool for Icinga, vSphereDB is a completely different beast. Icinga models everything around Hosts and Services, vSphereDB instead discovers your whole VMware infrastructure and builds a huge and deep inventory.
This talk wants to explain the reasoning behind this, shows what’s possible right now and where those powerful Icinga components are heading to in the near future.
Multi-Area OSPF explained. Presentation by CoderGenie Technologies. CoderGenie Technologies provide best training on OpenStack, CCIE, CCIE SP, CCIE Security, CCIE DC
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Exploiting Cross-site scripting flaws can be a trivial challenge for anyone new to Web Application Security. This presentation aims to provide useful information on understanding different types of XSS, attack methodologies and common ways of exploiting them.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Cisco StackWise technology provides an innovative new method for collectively utilizing the capabilities of a stack of switches. Individual switches intelligently join to create a single switching unit with a 32-Gbps switching stack interconnect. Configuration and routing information is shared by every switch in the stack, creating a single switching unit. Switches can be added to and deleted from a working stack without affecting performance.
Icinga Director and vSphereDB - how they play together - Icinga Camp Zurich 2019Icinga
Talk by: Thomas Gelf
While the Icinga Director is the main configuration tool for Icinga, vSphereDB is a completely different beast. Icinga models everything around Hosts and Services, vSphereDB instead discovers your whole VMware infrastructure and builds a huge and deep inventory.
This talk wants to explain the reasoning behind this, shows what’s possible right now and where those powerful Icinga components are heading to in the near future.
Multi-Area OSPF explained. Presentation by CoderGenie Technologies. CoderGenie Technologies provide best training on OpenStack, CCIE, CCIE SP, CCIE Security, CCIE DC
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Exploiting Cross-site scripting flaws can be a trivial challenge for anyone new to Web Application Security. This presentation aims to provide useful information on understanding different types of XSS, attack methodologies and common ways of exploiting them.
This talk goes over the art of antivirus evasion, or really the lack thereof. I talk about a new module that's getting added into Veil-Evasion, a signature that was developed for Veil, and creating your own processes for approaching unknowns.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
In the following slides we will show you how to create a #DMZ using the #FortiGate
#Firewall. See next chapters on #FortiGate configuration. Stay with us!
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
This presentation features a walk through the Linux kernel networking stack for users and developers. It will cover insights into both, existing essential networking features and recent developments and will show how to use them properly. Our starting point is the network card driver as it feeds a packet into the stack. We will follow the packet as it traverses through various subsystems such as packet filtering, routing, protocol stacks, and the socket layer. We will pause here and there to look into concepts such as networking namespaces, segmentation offloading, TCP small queues, and low latency polling and will discuss how to configure them.
Aspekte von IPv6-Security
• Hackertools & ein paar Angriffsszenarien
• 3 Empfehlungen
q a) Ist IPv6 sicherer als IPv4?
q b) Ist IPv6 unsicherer als IPv4?
q c) Wer ist an allem Schuld?
q d) Wie wirkt sich die Integration von IPv6 in
meine Organisation auf deren IT-Sicherheit aus?
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
The Potential Impact of Software Defined Networking SDN on Security. The video of the presentation is at http://networkstatic.net/the-potential-impact-of-software-defined-networking-sdn-on-security/ by Brent Salisbury. It is the first cut so a lot is not in the deck yet on the example use case front.
Similar to Attacking IPv6 Implementation Using Fragmentation (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
Attacking IPv6 Implementation Using Fragmentation
1. ATTACKING IPV6 IMPLEMENTATION
USING FRAGMENTATION
Antonios Atlasis, antonios.atlasis@cscss.org
Centre for Strategic Cyberspace + Security Science
2. Bio
• Independent IT Security analyst and researcher.
• Over 20 years of diverse Information Technology
experience.
• Instructor and software developer, etc.
• Hobbies: bug-finding.
• Recently joined the Centre for Strategic Cyberspace
+ Security Science non-profit organisation.
• E-mail: antonios.atlasis@cscss.org
3. Presentation Outline
• Some background regarding fragmentation in
IPv4 and its consequences.
• Fragmentation in IPv6.
• Examination of fragmentation issues in IPv6
implementation against some of the most
popular OS – Examples.
• Conclusions
5. IP Fragmentation
• Usually a normal event.
• Required when the size of the IP datagram is
bigger than the Maximum Transmission Unit
(MTU) of the route that the datagram has to
traverse (e.g. Ethernet MTU=1500 bytes).
• Packets reassembled by the receiver.
6. Fragmentation in IPv4
• Share a common fragment identification
number (which is the IP identification number
of the original datagram).
• Define its offset from the beginning of the
corresponding unfragmented datagram, the
length of its payload and a flag that specifies
whether another fragment follows, or not.
• In IPv4, this information is contained in the
IPv4 header.
7. IPv4 Header
RFC 791
0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1
0 0 0
Verson IHL Type of Service Total Length
Identification x D M Fragment Offset
TTL Protocol Header Checksum
Source Address
Destination Address
IP Options (optional)
Don't Fragment
Don't Fragment More Fragments to Follow
8. IPv4 Fragmentation
e.g. MTU: 1500 bytes (Ethernet)
Unfragmented packet
IPv4 Embedded protocol plus payload
header (e.g.3200 bytes)
IPv4 Fragment 1
header
MF=1, MF=0
IPv4 Fragment 2 Offset=2960
offset =0 header
length=1480 Length=240
MF=1, Offset=1480,
IPv4 Fragment 3
length=1480
header
10. When it all started
• “Insertion, Evasion and Denial of Service:
Eluding Network Intrusion Detection”, by
Thomas H. Ptacek, Timothy N. Newsham, ,
Secure Networks, Inc. , January, 1998.
• Three classes of attacks were defined against
IDS/IPS:
– insertion,
– evasion and
– Denial of Service attacks.
11. Insertion
• When an IDS accepts a packet that the end-
system rejects.
• An attacker can use this type of attacks to
defeat signature analysis and to pass
undetected through an IDS.
12. Insertion
Target
Ouch!
IDS
E X P LO R I T E X P L OX I T
R
The target rejects character “R”, which IDS
accepts; this breaks the IDS signature.
Signature content: EXPLOIT
13. Evasion
• When an end-system accepts a packet that an
IDS rejects.
• Such attacks are exploited even more easily
that insertion attacks.
14. Evasion
Target
Ouch!
IDS
X
E X P LO IT E XPL OIT
The target accepts character “O”, which IDS
rejects; this breaks the IDS signature.
Signature content: EXPLOIT
15. Fragmentation Attacks
• Disordered arrival of fragments.
• IDS flooding by partial fragmented datagrams.
• Selective dropping of old and incomplete
fragmented datagram.
• Overlapping fragments.
• IP Options in Fragment Streams.
17. In IPv6
• Fragmentation fields (offset, D and M bits)
have been totally removed.
• IPv6 header length is limited to 40 bytes, BUT
the use of Extension Headers has been
introduced.
• These IPv6 Extension Headers add additional
functionality.
18. IPv6 Extension Headers
• IPv6 header
• Hop-by-Hop Options header
• Destination Options header
• Routing header
• Fragment header
• Authentication header
• Encapsulating Security Payload header
• Destination Options header (processed only by
the receiver).
This is the recommended order
• Upper-layer header by RFC2460
19. IPv6 Fragment Header
•
0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1
0 0 0
• Next Header Reserved Fragment Offset Res M
Identification
• M: More Fragment bit.
• Fragment offset: Offset in 8-octet units.
• The is no DF (Don't Fragment) bit, because in IPv6 the fragmentation is
performed only by the source nodes and not by the routers along a
packet's delivery path.
Each fragment, except possibly the last one, is an integer multiple of 8
octets long.
20. IPv6 Fragmentation
Unfragmented packet
Unfragmentable Fragmentable part
part
IPv6 header + some of
the extension headers
Unfragmentable Fragment Fragment 1
part Header
Unfragmentable Fragment Fragment 2
part Header
Unfragmentable Fragment Fragment 3
part Header
21. Recommended Handling of IPv6
Fragmentation
• IPv6 attempts to minimise the use of
fragmentation by:
– Minimising the supported MTU size to 1280 octets
or greater. If required, link-specific fragmentation
and reassembly must be provided at a layer below
IPv6.
– Allowing only the hosts to fragment datagrams.
22. Recommended Handling of IPv6
Fragmentation
• RFC5722 recommends that overlapping
fragments should be totally disallowed:
– when reassembling an IPv6 datagram, if one or
more of its constituent fragments is determined
to be an overlapping fragment, the entire
datagram (and any constituent fragments,
including those not yet received) must be silently
discarded.
26. The Used Protocol for our Testing
Purposes
• As an upper-layer protocol, the ICMPv6 was
used (Echo Request type):
– It is the simplest protocol that can invoke a
response.
– It also echoes back the payload of the Echo
Request packet
• Hence, using unique payload per packet, the
fragmentation reassembly policy of the target
can be easily identified.
28. Using of Small Fragments
8 bytes
time
8 bytes Payload of fragment 2
= payload of ICMPv6
Payload of fragment 1
= ICMPv6 Header
IPv6 net packet payload per fragment
31. Results
• All of the tested OS sent an echo reply to the
sender.
• Hence, all major OS accept fragments as small
as 56 bytes (including IPv6 header = 40 bytes
IPv6 Header + 8 bytes Fragment Header + 8
bytes of ICMPv6 Header).
33. Tiny Fragmentation Consequences
• In IPv4, the embedded protocol's header, e.g.
st
TCP (or at least a part of it) has to be in the 1
fragment.
• Firewall evasions could occur if a subsequent
fragment would overwrite the TCP header
(e.g. the destination port, the SYN/ACK flags,
etc.)
• To this end, RFC 1858 defined that:
IF FO=1 and PROTOCOL=TCP then DROP PACKET.
34. Tiny Fragmentation Consequences
in IPv6
• At least one extension header can follow the
Fragment Header: The Destination header.
• But, the total length of the Destination
Options header can reach 264 bytes (RFC
2462).
• Hence, using 8-bytes fragments, we can split
the Destination Option headers to 33
fragments!
35. What does this mean?
• The layer-4 protocol header will start at the
34th fragment!
• And unless Deep Packet Inspection (=
complete IP datagram reassembly before
forwarding it), this can lead to firewall
evasion, without having to overlap any
fragments (as it was the case in IPv4)!
36. What does this mean?
• This number can increase if we increase the
number of the used extension headers that
follow the fragment extension header
(although not recommended by RFC 2460,
but, who cares?).
41. Results
• FreeBSD, Ubuntu 11.10 and Windows 7 were
immune to this attack.
• Ubuntu 10.04 and OpenBSD were susceptible
to these attacks.
– These two OS accept the fragmentation
overlapping with the first fragment overwriting
the second one.
42. and so?
• Acceptance of fragmentation by two of our
12
targets implies that this attack can be used:
10
– For OS fingerprinting purposes
8
– For IDS Insertion / Evasion purposes (depending
Column 1
6
for example on whether Ubuntu 10.04 is used as
Column 2
Column 3
4
the host OS of the IDS or as a guest OS).
• The fact that the 1st fragment overlaps the
2
0
second, seems that on its own cannot be
exploited for firewall evasion purposes.
Row 1 Row 2 Row 3 Row 4
44. The Paxson/Shankar Model
• At least one fragment that is wholly overlapped
by a subsequent fragment with an identical
offset and length.
• At least one fragment that is partially
overlapped by a subsequent fragment with an
offset greater than the original.
• At least one fragment this is partially
overlapped by a subsequent fragment with an
offset less than the original.
46. Fragment Reassembly Methods
• BSD favors an original fragment EXCEPT when the
subsequent segment begins before the original segment.
• BSD-right favors the subsequent segment EXCEPT when
the original segment ends after the subsequent segment,
or begins before the original segment and ends the same
or after the original segment.
• Linux favors the subsequent segment EXCEPT when the
original segment begins before, or the original segment
begins the same and ends after the subsequent segment.
• First favors the original fragment.
• Last favors the subsequent fragment.
47. The Paxson/Shankar Model
• BSD policy: 111442333666
• BSD-right policy: 144422555666
• Linux policy: 111442555666
• First policy: 111422333666
• Last policy: 144442555666
51. Results
• FreeBSD, Windows 7 and Ubuntu 11.10 are
immune to these attacks.
• Ubuntu 10.04 and OpenBSD are susceptible to
these attacks.
– OpenBSD: BSD reassembly policy
– Ubuntu 10.04: Linux reassembly policy
52. So, up to now it seems that linux kernel
2.6.40, FreeBSD 8.2/9 and Windows 7
are immune to fragmentation
overlapping attacks, right?
53. A simple 3-packet model where the
parameters of the one fragment are
varied.
55. Brief summary of Ubuntu 10.04
responses
• The non-favoured packets are not discarded
completely but they trimmed.
• The Linux reassembly policy was confirmed
nd
with one exception (when the 2 fragment has
a 0 offset and M=1).
• Three notable behaviours are when atomic
fragments overlap with other. In these cases
we have two separate responses from the
target.
60. Brief summary of OpenBSD 5
responses
• Follows the BSD policy.
• The non-favoured packets are not discarded
completely but they trimmed.
• No exceptions (e.g. in case of atomic
fragments).
62. Brief summary of FreeBSD
responses
• It discards the overlapping fragment (as it
should), but it doesn't discard the previous
and the subsequent ones (as it also should,
according to RFC5722).
• This is the reason why in almost all the cases,
fragments 1 and 3 are accepted (which do not
overlap).
63. Ubuntu 11.10 Responses
• Two responses when the one is an atomic fragment (offset =
M = 0).
• Should be discarded silently, according to the RFC 5722.
64. Windows 7 Responses
• Responses when M=1 and the second fragment overlaps only
with the first one, partially or completely, but without
exceeding the last byte of the first offset.
• It seems that they complies with RFC 5722 EXCEPT when only
the 1st fragment is overlapped.
65. Windows 7 Responses
• It seems that Windows 7 comply with RFC 5722 (discarding all
the fragments, when overlapping occurs), unless only the 1st
fragment is overlapped.
68. Ubuntu 11.10 responses for
reverse sending order
• More responses are received than when the normal sending
order is used.
– When atomic fragments overlap with non-atomic ones.
– In most of the other cases, only the overlapping fragment
is discarded.
70. Windows 7 Responses when
reversing the order
• Responses when fragments 2 and 3
completely and exactly overlap, in which case
Windows 7 considering them probably as
repeated packets.
72. Fragmentation Overlapping
Sending Double Packets
1280 bytes
Payload of fragment 1
1280 bytes
time
8-octets bytes offset Payload of fragment 2
1280 bytes
Payload of fragment 2
1280 bytes
Payload of fragment 1
IPv6 net packet payload per fragment
74. Results
• Ubuntu 10.04 and OpenBSD 5 send two responses
back.
• The two FreeBSDs send back a response even if the
packet numbered 4 is not sent, showing again that
they just discard the overlapping fragment.
• Ubuntu 11.10 and Windows 7 do send a response
only if all the four packets are sent (including the last
one, with the 0 offset).
• If the packet numbered 1 is not sent, none of the
three sends back a response.
77. Conclusions (1/5)
• All the tested OS accepted really tiny
fragments (e.g. two octets longs) which,
under specific circumstances (i.e. when deep-
packet inspection is not performed) and
especially when combined with the use of
other IPv6 extension headers, can lead to
firewall evasion.
• None of the tested OS is RFC 5722 compliant.
78. Conclusions (2/5)
• Ubuntu 10.04 LTS (using linux kernel 2.6.32)
and OpenBSD 5 were proven the most
susceptible to fragmentation overlapping
attacks among the tested OS, each one
following the corresponding well-known
reassembly policies (Linux and BSD
respectively).
79. Conclusions (3/5)
• FreeBSD 8.2/9 discards any overlapping
fragments appearing to have the most
consistent behaviour.
• Although this is a very good practice, it does
not fully comply with RFC 5722 which suggest
the rejection of any constituent fragments
too (including the ones not yet received).
80. Conclusions (4/5)
• The two Ubuntu send two responses back
when atomic fragments overlap with non-
atomic ones.
• The behaviour of Ubuntu 11.10 seems to
deteriorate significantly when the sending
order of the fragments is reversed.
• Windows 7, although seem to have the fewer
issues, there are cases that they also accept
overlapping fragments.
81. Conclusions (5/5)
• The impact of these issues, since it varies
between the tested OS, starts from OS
fingerprinting and can be extended, if used
properly, to IDS insertion / evasion and in
some cases, even to firewall evasions.
• OS vendors need to create fully RFC compliant
products.