[unisog] UDP fragments anyone?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 20 20:28:10 GMT 2007


On Wed, 21 Feb 2007 08:17:15 +1300, Russell Fulton said:

> any tools worth their salt will reassemble packets *before* examining
> the contents and will flag overlapping fragments.

The fun starts when the tool and the destination system don't handle some
"should not happen" corner cases the same way. Most notably, overlapping
fragments - if you have a first fragment that's bytes 0-1200, and a second
fragment that's bytes 900-1500, which one do you look at for bytes 900 to
1200(*)?  And there's *lots* of things that go into casters-up mode (both tools
and end systems) if they're presented with a nice stream of packets that
say "last frag, bytes 65000-65535". ;)

(*) And of course, this can be arbitrarily malicious - consider:

frag, offset 0, len 72
frag, offset 48, len 96
frag, offset 32, len 32
frag, offset 56,len 8

Particlarly fun if youi can find some *other* way to malform the 3rd packet so
it gets dropped by the end host before being considered for packet reassembly.
Maybe a TTL that's 1 too few to actually reach the host. ;)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070220/d2b2a7b9/attachment.bin 


More information about the unisog mailing list