[unisog] Practical, Legitimate IP Fragmentation?

Peter Van Epp vanepp at sfu.ca
Wed Mar 12 21:56:55 GMT 2003

On Wed, Mar 12, 2003 at 11:58:11AM -0500, Clarke Morledge wrote:
> Are there any of you maintaining a firewall at the campus edge blocking
> IP fragments from coming in (or even going out) of your network?  In view
> of the security risks associated with fragmentation, is this a good idea?

	No probably not. While we don't filter frags at the border we do have
argus monitoring everything that comes across it (including fragmentation)
so I can tell you on our network such a policy would cause somethings not
to work (because fragementation is occurring sometimes on the inbound link). 
Would that be a problem? I don't know, but I'm not sure I'd want to find out 
by blocking frags either. Would I block frags internally? Probably because
I control the MTU most everywhere and fragmentation internally would be 
unusual and possibly a sign of an attack.

> Theoretically, you should always pass IP fragments due to variances in
> Maximum Transfer Units (MTU) along a traffic path.  But practically
> speaking, in a world today where Ethernet is almost everywhere, the
> chances of running into an MTU different from standard Ethernet is
> relatively small.  Granted, there are exceptions, but a consistent MTU
> intra-campus and across the Internet seems to hold.
> Currently, we do allow IP fragments to pass through our firewall.  
> However, the risk associated with allowing fragments to pass through a
> campus edge seems high:  most router ACLs are unable to block IP fragments
> at the UDP/TCP port level, and damaging payloads can be hidden in
> fragments with some relative ease.

	This is entirely correct, but blocking fragments is probably the 
wrong answer. The righter answer is have your firewall (or an OpenBSD box if
your traffic is small enough to do it) defragement the IP stream at your 
border, allowing legit fragmentation to pass and discarding (with a loud 
scream to you and/or a complete packet dump) fragments whose offsets are
changing. Sometimes that will still be legit (variable paths with different
MTUs would be one case), sometimes it will be an attack by something like
fragrouter that you want to know about. If your border is too fast to do that
(one of ours for instance is an unrestricted Gig link from CA*net4), so the 
reassembly at an interior/lower speed/higher risk point such as the input to 
your administrative systems lan (in front of the IDS that is protecting it). 
Another answer is to put argus on your inbound link for a while (or forever) 
and examine after the fact incidents of fragmentation to see if you have a 
problem or not.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list