Legit Fragmented IP Traffic?
Results 1 to 4 of 4

Thread: Legit Fragmented IP Traffic?

  1. #1
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    Legit Fragmented IP Traffic?

    I have just been presented with something I have not seen before. I work in the Network Operations Control Center. Or NOC. Anyways, most of the DOS attacks I see from day to day are pretty easy to tell if a packet is malicious or not. However, the meanest packet to date has seemed to be the Fragmented IP. For a while I thought this "Fragmented Protocal" was entirely malicious, with no legit use. However, this is obviously not the case. I noticed a high packets per second on one of our routers interfaces and decided to capture the traffic to see what it was. This is what the capture looked like

    This appears to be LEGIT IP Fragmented Protocol traffic.(not an attack). You can see NFS V3 WRITE Call\Reply XID is in the middle, does some IP Frag, and then does NFS again. If anybody has any information on NFS or what the hell is going on here, please respond. Thanks for everything Antionline.

    1 2003-03-25 09:18:42.9564 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    3 2003-03-25 09:18:42.9567 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    6 2003-03-25 09:18:42.9570 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    10 2003-03-25 09:18:42.9572 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    11 2003-03-25 09:18:42.9573 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    12 2003-03-25 09:18:42.9574 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9bb78aef[Unreassembled Packet]
    25 2003-03-25 09:18:42.9581 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9bb78aef
    36 2003-03-25 09:18:42.9587 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    39 2003-03-25 09:18:42.9589 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    42 2003-03-25 09:18:42.9591 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    45 2003-03-25 09:18:42.9593 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    48 2003-03-25 09:18:42.9596 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    51 2003-03-25 09:18:42.9598 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9cb78aef[Unreassembled Packet]
    65 2003-03-25 09:18:42.9605 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9cb78aef
    71 2003-03-25 09:18:42.9607 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    73 2003-03-25 09:18:42.9609 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    84 2003-03-25 09:18:42.9612 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    86 2003-03-25 09:18:42.9614 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    87 2003-03-25 09:18:42.9615 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    88 2003-03-25 09:18:42.9616 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9db78aef[Unreassembled Packet]
    102 2003-03-25 09:18:42.9624 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9db78aef
    114 2003-03-25 09:18:42.9631 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    117 2003-03-25 09:18:42.9632 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    119 2003-03-25 09:18:42.9633 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    127 2003-03-25 09:18:42.9638 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    128 2003-03-25 09:18:42.9640 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    131 2003-03-25 09:18:42.9642 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9eb78aef[Unreassembled Packet]
    146 2003-03-25 09:18:42.9650 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9eb78aef
    157 2003-03-25 09:18:42.9656 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    160 2003-03-25 09:18:42.9659 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    163 2003-03-25 09:18:42.9660 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    165 2003-03-25 09:18:42.9661 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    168 2003-03-25 09:18:42.9664 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    172 2003-03-25 09:18:42.9666 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0x9fb78aef[Unreassembled Packet]
    180 2003-03-25 09:18:42.9672 207.44.154.82 -> 207.44.132.80 NFS V3 WRITE Reply XID 0x9fb78aef
    185 2003-03-25 09:18:42.9674 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=7400)
    187 2003-03-25 09:18:42.9674 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=5920)
    191 2003-03-25 09:18:42.9680 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=4440)
    198 2003-03-25 09:18:42.9683 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=2960)
    199 2003-03-25 09:18:42.9683 207.44.132.80 -> 207.44.154.82 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)
    200 2003-03-25 09:18:42.9686 207.44.132.80 -> 207.44.154.82 NFS V3 WRITE Call XID 0xa0b78aef[Unreassembled Packet]

    Data:

    Frame 1 (970 on wire, 970 captured)
    Arrival Time: Mar 25, 2003 09:18:42.956451000
    Time delta from previous packet: 0.000000000 seconds
    Time relative to first packet: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 970 bytes
    Capture Length: 970 bytes
    Ethernet II
    Destination: 00:e0:52:15:fa:4a (00:e0:52:15:fa:4a)
    Source: 00:e0:52:15:80:d1 (00:e0:52:15:80:d1)
    Type: IP (0x0800)
    Internet Protocol, Src Addr: 207.44.132.80 (207.44.132.80), Dst Addr: 207.44.154.82 (207.44.154.82)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 956
    Identification: 0xeed3
    Flags: 0x04
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 7400
    Time to live: 63
    Protocol: UDP (0x11)
    Header checksum: 0x88c4 (correct)
    Source: 207.44.132.80 (207.44.132.80)
    Destination: 207.44.154.82 (207.44.154.82)
    Data (936 bytes)

    0000 ac 7a 41 c1 8d a0 14 c1 5d 59 cd cf 34 ea 2b ac .zA.....]Y..4.+.
    0010 4f 71 d0 3c a5 cb 7a d5 cf 64 0f 9a e9 63 20 48 Oq.<..z..d...c H
    0020 50 f0 23 a5 75 c3 02 98 05 4d fe 3e 0a a6 11 a1 P.#.u....M.>....
    0030 9a b0 0f ef 29 18 1c 15 cd f9 d2 93 7a b6 75 6c ....).......z.ul
    0040 cf 4f 72 e1 f5 16 7c 31 d9 ac c1 70 15 f8 7b 50 .Or...|1...p..{P
    0050 fe 94 8d f3 55 0d 8b e1 61 f0 cc c3 6d 80 36 e1 ....U...a...m.6.
    0060 78 19 1c b6 57 1b 93 e9 3c 5d cd 92 79 5a b5 a8 x...W...<]..yZ..
    0070 10 be d9 70 09 9d 5f 10 4e 47 a4 51 64 32 8d 8e ...p.._.NG.Qd2..
    0080 f3 69 c5 b5 1d f6 58 44 b2 82 3d cd f7 82 8b 3b .i....XD..=....;
    0090 18 02 1e 76 b9 90 23 60 3b a7 28 b0 f2 c6 98 e9 ...v..#`;.(.....
    00a0 93 66 14 d2 53 dc c9 57 b5 4f 86 12 30 85 c4 08 .f..S..W.O..0...
    00b0 a0 f1 8a 41 2c 79 4b 2b c8 cd 41 1b 81 6f c6 3f ...A,yK+..A..o.?
    00c0 e5 14 79 dd 18 6b dd ba 4f 06 92 77 f5 7a 2a 08 ..y..k..O..w.z*.
    00d0 ec 55 4f 8d 33 b2 c4 99 6d e0 47 f1 29 18 36 3a .UO.3...m.G.).6:
    00e0 23 d0 64 ed 19 af 71 e8 08 5e a6 54 56 3a 58 9b #.d...q..^.TV:X.
    00f0 8b 53 14 7c 4f 05 67 bd 6e bc b7 ce 22 30 b9 87 .S.|O.g.n..."0..
    0100 7c 4f d0 1d 44 6f bb 83 c4 70 54 cf c0 1d c1 6b |O..Do...pT....k
    0110 9d db 3e 10 2e ee 0e 13 14 a8 69 bc 33 96 b0 71 ..>.......i.3..q
    0120 4b 82 49 aa 38 7d b3 b3 80 98 00 67 39 1a a7 26 K.I.8}.....g9..&
    0130 38 61 7c 35 c2 3d 32 a8 2b 27 f7 4e 71 de 65 a3 8a|5.=2.+'.Nq.e.
    0140 5e 29 28 ad a0 da 13 5c 91 3b a5 0b bd a4 f3 92 ^)(....\.;......
    0150 7d 5c c8 7b d7 cf 5a 1c e5 cc 53 5e 88 57 bd 49 }\.{..Z...S^.W.I
    0160 76 24 32 2f 82 d1 71 2b 16 60 7e ed 9b 7e 83 ee v$2/..q+.`~..~..
    0170 32 12 45 f1 d0 58 d2 57 86 a6 67 62 04 05 8d 3f 2.E..X.W..gb...?
    0180 96 ed cb 18 2d 10 1d 0a f7 ef f9 4b 92 b8 9e 2d ....-......K...-
    0190 59 a1 95 db f8 2e 38 80 b3 e9 54 18 bd 88 23 4f Y.....8...T...#O
    01a0 d0 36 31 fc 75 9b 76 62 79 80 45 ee 53 68 ba d7 .61.u.vby.E.Sh..
    01b0 cd 81 ad e2 89 ee 61 a7 71 22 60 10 bc 3e 34 e5 ......a.q"`..>4.
    01c0 62 87 e2 14 f7 c1 76 d2 8c 07 98 88 0e 89 84 db b.....v.........
    01d0 3a 34 ee 21 04 d6 fe 41 71 1d 38 63 90 9c 18 6e :4.!...Aq.8c...n
    01e0 ac 55 04 23 88 50 d7 8d 29 73 92 10 ec aa 58 fb .U.#.P..)s....X.
    01f0 4f bf ac 99 5b 31 09 f1 49 32 fa ab 3a 83 b4 0a O...[1..I2..:...
    0200 af 28 4f 76 f0 14 3e c5 f4 79 d5 bd e4 cc 11 e3 .(Ov..>..y......
    0210 6f 60 dd 73 d1 46 af 53 ea a5 95 a6 36 43 9e 50 o`.s.F.S....6C.P
    0220 01 87 a7 28 4f af 7a b1 0d 66 6c 62 e5 a7 37 e3 ...(O.z..flb..7.
    0230 29 db e9 ab 8a 2b 73 67 c3 94 81 cd ad 7b 8e 53 )....+sg.....{.S
    0240 fb aa 36 c5 db a8 9c 06 fb 41 8b cf b1 e7 5f d7 ..6......A...._.
    0250 66 af 42 5c 18 67 38 20 17 0c a4 49 0a 5b 77 70 f.B\.g8 ...I.[wp
    0260 10 fa 4f 1f a3 46 aa 97 ac 4f bf 62 31 49 05 b7 ..O..F...O.b1I..
    0270 64 a9 bd b3 6f e0 12 81 3f 43 b1 54 89 26 74 bc d...o...?C.T.&t.
    0280 dc b3 19 ac c0 ce 8b f5 38 1d 5f ed 07 10 eb 15 ........8._.....
    0290 ce 5c 15 9d 4a ee e6 19 0e 4c a2 8a cf 65 ae bd .\..J....L...e..
    02a0 ce 6f 6a b7 a5 20 8a ba f8 24 f0 e0 55 87 5e 59 .oj.. ...$..U.^Y
    02b0 1b 6d fc 48 0c 57 89 9a d9 4c e8 eb 5d 89 39 67 .m.H.W...L..].9g
    02c0 a4 b3 48 31 a4 1f 1d dc 5a cf e8 66 d1 73 50 64 ..H1....Z..f.sPd
    02d0 9b 49 ca 31 a0 99 16 dc 4d 78 95 d6 0a 38 33 62 .I.1....Mx...83b
    02e0 2c 8c ff 7b de ff c5 ae 7f 7d 9b c2 ed ec 84 5c ,..{.....}.....\
    02f0 4f 31 77 cd 76 58 54 88 cf e1 cd 7d de 51 c9 56 O1w.vXT....}.Q.V
    0300 7b 8d ba 4c 5c 32 8d 96 52 d1 50 26 43 89 6f 33 {..L\2..R.P&C.o3
    0310 4c 3a a5 eb 29 ee e6 eb 3a 6d 6f 4c 22 f3 ce 7e L:..)...:moL"..~
    0320 8e 02 f2 3a 41 f0 52 02 4f d8 13 7a ed a7 c8 fd ...:A.R.O..z....
    0330 af 53 5b ad e9 66 e3 f1 c5 e2 0b 51 5b 0a 15 b9 .S[..f.....Q[...
    0340 33 5f 4c 46 0d cc e2 4a 51 02 3b 1b a0 82 2b 09 3_LF...JQ.;...+.
    0350 ba 38 81 f4 8b 2e bd 95 2b 12 58 8f 23 d0 c5 3f .8......+.X.#..?
    0360 95 03 f7 ba 19 c4 b2 dd 99 7c 38 c0 27 9f 4a 96 .........|8.'.J.
    0370 79 d5 fe b8 ef bd 76 cc 4c 82 14 9c 31 a1 3f a4 y.....v.L...1.?.
    0380 80 e6 c6 b8 a1 f3 df 0c db fe 64 20 27 79 c2 f4 ..........d 'y..
    0390 ce 5f 92 44 11 1b 55 5c 65 10 6f 6f e7 e5 e3 d4 ._.D..U\e.oo....
    03a0 85 98 45 29 9b fe fa 24 ..E)...$
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    186
    I can't see what's wrong here. NFS will send fragmented packets, if you have
    rsize/wsize larger than an ethernet frame. But most of this is pretty odd.
    Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    I agree with EaseZE...Fragmented packets are perfectly normal in most cases

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Well, it seems like you know what NFS is, so I will keep that part short. NFS is just sun's version of file sharing (network file system) and it is usually something I turn off on the systems I administer (it can be just as bad a mickysoft netbios security wise if improperly setup and the authentication is very weak). The 'server' side would simply offer up one of its partitions using the 'share' command (or an entry in /etc/dfstab), and the client would just connect to it using the normal mount command, but the syntax is a little different (file system is nfs, not ufs, and I think you have to give it ipartition, been a while since i have done it). Also note that NFS is can be used with NIS to share account information between multiple systems. If you are sure this is legitmate traffic (the nfs write does kind of concern me a little...), other than making sure you restrict access to those shares (through dfstab...hmm...just checked on this in Solaris 9 and it looks like it moved to /etc/dfs/dfstab....(from man share): share -F nfs -o ro=netgroup_name:rw=hostname /export/manuals

    Anyways, enough on that...

    Fragmentation is very very normal to see, think about it, say you transfer a 650kb gif...there is no way it is going to fit in one IP packet (max size of 1 packet is 65535 bytes I think), so that in and of itself would cause fragmentation, then on top of that, say your program tries to send out a 65kb (65535 bytes) IP packet...most devices along the way will not be able to handle a packet size that large (most common type of MTU is 1536/1492 or a wan), so then it would be further fragmented by the network in between the two computers talking (although depending on where it is reassembled you probably won't see that part of the fragmentation)...

    I normally would take a closer look at the packet contents, but what I would recommend doing is too look at those decodes with something like tcpdump, which does the automatic fragmentation offset for you...unless you see fragments with mismatched offsets, lots and lots of tiny fragments (56 bytes or so), or something along those lines, I wouldn't really worry about it. The two main reasons I am aware of that IDS flags off on fragmentation are that there are a class of DoS attacks that revolve around improper reassembly of fragmentation (they are pretty old, but teardrop is an example), you will clearly see that by looking at the fragmentation offset and making sure they packets don't overlap...takes time..but it doable...or things like nmap or whisker will fragment in strategic places or in very small packets to try to evade things like IDS...in order for a signature based IDS to catch an attack that passes over very small packets, the IDS would have to reassemble all the packets and then check the signature...if there are thousands of fragmented packets, the hope is to overwhelm the IDS packet reassembly or to take up more memory than it has allocatedt o perform this, and then hopefully force the IDS to either analyze the thing early or drop it altogether...

    For example, say you had the ida overflow (index server) that code red uses and you wanted to maybe slip it by an overwhelmed IDS or one that can't do fragmentation reassembly...you would just send for example 7 packets that contained for example, (GE,T,/defaul,t.id,a?,NNNNN,NNNNN) instead of the GET /default.ida?NNNNNNNN that would instantly match a sginature....


    Hope that makes a little sense, kinda rushed (busy at work)...

    /neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •