Network Working Group I. Miller Request for Comments: 3128 Singularis Ltd Updates: 1858 June 2001 Category: Informational
Network Working Group I. Miller Request for Comments: 3128 Singularis Ltd Updates: 1858 June 2001 Category: Informational
Protection Against a Variant of the Tiny Fragment Attack
防止微小碎片攻击的变体
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document discusses how RFC 1858 compliant filters can be vulnerable to a variant of the "Tiny Fragment Attack" described in section 3.1 of the RFC. This document describes the attack and recommends corrective action.
本文档讨论了RFC 1858兼容过滤器如何容易受到RFC第3.1节中描述的“微小碎片攻击”变体的攻击。本文档描述了攻击并建议采取纠正措施。
RFC 1858 provides an excellent description of a class of attack on Internet firewalls and proposes countermeasures. However one of these countmeasures, the "Indirect Method" (section 3.2.2) is vulnerable to a combination of two of the attacks described.
RFC1858对互联网防火墙上的一类攻击进行了出色的描述,并提出了应对措施。然而,作为这些措施之一,“间接法”(第3.2.2节)容易受到上述两种攻击的组合。
The attack combines the features of the "Tiny Fragment Attack" (section 3) and the "Overlapping Fragment Attack" (section 4).
该攻击结合了“微小碎片攻击”(第3节)和“重叠碎片攻击”(第4节)的特点。
Where the filtering rules allow incoming connections to a machine AND there other ports which allow only outgoing connections on the same host, the attack allows incoming connections to the supposedly outgoing-only ports.
如果过滤规则允许到机器的传入连接,并且有其他端口只允许在同一主机上的传出连接,则攻击会允许到假定只允许传出的端口的传入连接。
Note that only the initial connection message need be fragmented. Once the connection is established further traffic on it is legal. The significance of this weakness will depend on the security policy in force.
请注意,只有初始连接消息需要分段。一旦建立了连接,其上的进一步通信是合法的。这一弱点的重要性将取决于现行的安全政策。
The attack typically consists of sending three fragments.
攻击通常包括发送三个片段。
Fragment 1: (Fragment offset = 0; length >= 16) Includes whole header and is entirely legal. Typically it describes a SYN packet initiating a new TCP connection to a port on the target host that is allowed to receive incoming connections. e.g., Incoming connection to port 25 SMTP.
片段1:(片段偏移量=0;长度>=16)包含整个标头,完全合法。通常,它描述一个SYN数据包,该数据包启动到目标主机上允许接收传入连接的端口的新TCP连接。e、 例如,到端口25 SMTP的传入连接。
Fragment 2: (Fragment offset = 0; length = 8) Is only the first 8 bytes and could be legal depending on the other 8-bytes of the header, but is NOT legal combined with the corresponding bytes from Fragment 1. Such a fragment includes only the port numbers and sequence number from the TCP header. Typically this packet replaces the destination port number with a port number on which the destination host that is not allowed to receive incoming connections.
片段2:(片段偏移量=0;长度=8)仅为头8个字节,根据报头的其他8个字节可能是合法的,但与片段1中的相应字节组合不合法。这样的片段只包括TCP报头中的端口号和序列号。通常,此数据包将目标端口号替换为目标主机不允许接收传入连接的端口号。
Fragment 3: (Fragment offset >= 2; length = rest of message) Contains no header and completes the message. (This third fragment is not part of the attack. However Fragment 1 cannot be the complete message or it would be passed up to the application before Fragment 2 arrived so a third fragment is necessary.)
片段3:(片段偏移量>=2;长度=消息的其余部分)不包含头并完成消息。(这第三个片段不是攻击的一部分。但是片段1不能是完整的消息,或者它会在片段2到达之前传递给应用程序,因此需要第三个片段。)
Consider the following trivial set of rules for incoming packets:
考虑传入分组的以下普通规则集:
+---+-------+-------+-------+-------+-----------------------+ | No|Action | Source| Dest. | Flags | Purpose | | | | Port | Port | | | +===+=======+=======+=======+=======+=======================+ | 1 |Permit | >1023 | SMTP | ANY | Incoming E-mail | +---+-------+-------+-------+-------+-----------------------+ | 2 |Permit | >1023 | ANY | Ack=1| Existing FTP data | | | | | | channel connections. | +---+-------+-------+-------+-------+-----------------------+ | 3 |Deny | ANY | ANY | ANY | Default deny | +---+-------+-------+-------+-------+-----------------------+
+---+-------+-------+-------+-------+-----------------------+ | No|Action | Source| Dest. | Flags | Purpose | | | | Port | Port | | | +===+=======+=======+=======+=======+=======================+ | 1 |Permit | >1023 | SMTP | ANY | Incoming E-mail | +---+-------+-------+-------+-------+-----------------------+ | 2 |Permit | >1023 | ANY | Ack=1| Existing FTP data | | | | | | channel connections. | +---+-------+-------+-------+-------+-----------------------+ | 3 |Deny | ANY | ANY | ANY | Default deny | +---+-------+-------+-------+-------+-----------------------+
Fragment 1: attacker(1234) -> target(SMTP) Ack=0 This is a new SMTP connection and is permitted by rule 1.
片段1:攻击者(1234)->目标(SMTP)确认=0这是一个新的SMTP连接,规则1允许。
Fragment 2: attacker(1234) -> target(Telnet=23) Ack=absent All fields present conform to rule 2, as it could be the start of an FTP packet.
片段2:attacker(1234)->target(Telnet=23)Ack=缺席存在的所有字段都符合规则2,因为它可能是FTP数据包的开始。
Depending on the precise implementation of the fragment reassembly in the target machine's IP stack, fragment B may overwrite fragment A to produce:-
根据目标机器IP堆栈中片段重组的精确实现,片段B可能覆盖片段A以产生:-
attacker(1234) -> target(Telnet) Ack=0 (new telnet connection)
attacker(1234) -> target(Telnet) Ack=0 (new telnet connection)
The Indirect Method attempts to solve both Tiny Fragment and Overlapping Fragment attacks, solely by rejecting packets with FO=1. However none of the above fragments have FO=1, so none are rejected.
间接方法试图通过拒绝FO=1的数据包来解决微小片段攻击和重叠片段攻击。但是,上面的片段都没有FO=1,因此没有一个被拒绝。
The failure is clear on careful reading. In section 3.2.2 "Indirect Method", RFC 1858 states:-
仔细阅读,失败是显而易见的。在第3.2.2节“间接法”中,RFC 1858规定:-
The indirect method relies on the observation that when a TCP packet is fragmented so as to force "interesting" header fields out of the zero-offset fragment, there must exist a fragment with FO equal to 1.
间接方法依赖于这样的观察:当一个TCP数据包被分段以迫使“感兴趣的”头字段离开零偏移量片段时,必须存在一个FO等于1的片段。
This is normally true where the fragments are genuine fragments, generally by bona fide software, but it is simply not true that a hacker forging fragments is forced to produce an FO=1 fragment simply because (s)he has produced an 8-byte FO=0 fragment. The vulnerability flows from this false premise.
通常情况下,当碎片是真正的碎片时,这是正确的,通常是由真正的软件生成的,但伪造碎片的黑客仅仅因为生成了一个8字节的FO=0碎片而被迫生成FO=1碎片则不是正确的。漏洞来自于这个错误的前提。
Whereas apparently very elegant, RFC 1858's Indirect Method is not robust. In addition to blocking FO=1 packets, it is also necessary to block FO=0 that hold less than a complete header.
虽然RFC1858的间接方法看起来非常优雅,但并不可靠。除了阻止FO=1数据包之外,还需要阻止FO=0数据包,该数据包包含的数据头少于一个完整的数据头。
if FO=0 and PROTOCOL=TCP and TRANSPORTLEN < tmin then DROP PACKET if FO=1 and PROTOCOL=TCP then DROP PACKET
如果FO=0且协议=TCP且TRANSPORTLEN<tmin,则丢弃数据包;如果FO=1且协议=TCP,则丢弃数据包
This memo is concerned entirely with the security implications of filtering fragmented IP packets.
本备忘录完全关注过滤碎片化IP数据包的安全影响。
Ian Miller Singularis Ltd 32 Stockwell Street Cambridge CB1 3ND UK
Ian Miller Singularis有限公司英国剑桥市斯托克韦尔街32号CB1 3ND
Phone: +44 1223 511943 EMail: Ian_Miller@singularis.ltd.uk
Phone: +44 1223 511943 EMail: Ian_Miller@singularis.ltd.uk
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。