cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3178
Views
25
Helpful
7
Replies

what does ip fragment reassembly do

sebastan_bach
Level 4
Level 4

hi can someone pls tell me what is the meaning of ip reassembly mode in the global configuration where it gives a option for operating system.

i mean what does this option actually do.

can someone pls guide me.

regards

sebastan

1 Accepted Solution

Accepted Solutions

When a datagram is fragmented by normal methods there is never any fragment overlap or overwrite. Where one fragment ends, the next fragment begins at the very next bit. And all operating system assemble these fragments exactly the same.

But fragments can and some times do overlap. One fragment might end at say byte 1400. The next fragment should begin at byte 1401, but on occasion you will have an overlap where that next fragment begins at byte 1399 or earlier. So long as both fragments have the exact same data for those bytes that overlap, then the packet will still be reassembled the same by all operating systems.

BUT if the 2 fragments have DIFFERENT data for that same area of the reassembled datagram, then we call this an overwrite. And each operating system can have a different way with how it deals with the overwrites and chooses which data to accept.

Say for example that the first fragment ended at byte 1400 and had "ab" at bytes 1399 and 1400.

The next fragment is an overwrite and begins and byte 1399 and has "xy" at bytes 1399 and 1400.

One operating system will reassemble these and end up with "ab", while another will reassemble and up with "xy".

Each operating system has their own method of determining whether it will be "ab" or "xy".

In fact there are about 8 different ways that these packets can be reassemmbled depending on how they were sent, how they overlap, and their offset order.

Hackers understand this and will use it to attempt to evade the sensor.

The hacker will determine the operating system of the end host and will then try to send his attack in such away so that the end host will see it as "ab" and get hacked, but the sensor reassemble it as "xy" and thinks there is nothing wrong.

It would be great if the sensor could reassemble the fragments and analyze them in ever one of the 8 possible ways that operating systems can reassemble them.

But this is too cpu and memory intensive for the sensor to be able to handle.

So instead of trying all 8 possibilities the users chooses the operating system that is the most common in their network. The sensor will then reassemble the fragments in the same method as that operating system.

Understand that this ONLY applies to Fragment OverWrites.

For normal fragments where one fragment ends and the next begins, and for fragment Overlaps where both fragments have the same data; this setting doesn't matter because all operating system will reassembly them the same way.

So if you are concerned about this, then you need to monitor for the fragment OverWrite alarm.

The operating system configuration only comes into play when the fragments OverWrite one another, and you will see the fragment OverWrite alarm being triggered.

View solution in original post

7 Replies 7

jlimbo
Level 1
Level 1

Fragment re-assembly allows fragmented packets to be re-assembled on the sensor for analysis.

For more information please refer to the following link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/clisgdef.htm#wp1060109

hi thanks a lot for the link it was very useful.

but i still have one doubt regarding the same.

the document says ip reassemble mode identifies the method the sensor uses to reassemble ip fragments based on the operating system.

does it mean that when the selected option is NT. the sensor will reassemble ip fragments the way NT operating systems reassemble ip fragments.

why this option is dependant on the operating system.

is fragment reassembly handled different by windows and unix systems.

what if i have a network which is a mixture of NT, SOLARIS, adnd UNIX. then how would use this feature,.

can u pls help me with these silly doubts. it will be of great help to me. thanks .

waiting for ur reply.

regards

sebastan

When a datagram is fragmented by normal methods there is never any fragment overlap or overwrite. Where one fragment ends, the next fragment begins at the very next bit. And all operating system assemble these fragments exactly the same.

But fragments can and some times do overlap. One fragment might end at say byte 1400. The next fragment should begin at byte 1401, but on occasion you will have an overlap where that next fragment begins at byte 1399 or earlier. So long as both fragments have the exact same data for those bytes that overlap, then the packet will still be reassembled the same by all operating systems.

BUT if the 2 fragments have DIFFERENT data for that same area of the reassembled datagram, then we call this an overwrite. And each operating system can have a different way with how it deals with the overwrites and chooses which data to accept.

Say for example that the first fragment ended at byte 1400 and had "ab" at bytes 1399 and 1400.

The next fragment is an overwrite and begins and byte 1399 and has "xy" at bytes 1399 and 1400.

One operating system will reassemble these and end up with "ab", while another will reassemble and up with "xy".

Each operating system has their own method of determining whether it will be "ab" or "xy".

In fact there are about 8 different ways that these packets can be reassemmbled depending on how they were sent, how they overlap, and their offset order.

Hackers understand this and will use it to attempt to evade the sensor.

The hacker will determine the operating system of the end host and will then try to send his attack in such away so that the end host will see it as "ab" and get hacked, but the sensor reassemble it as "xy" and thinks there is nothing wrong.

It would be great if the sensor could reassemble the fragments and analyze them in ever one of the 8 possible ways that operating systems can reassemble them.

But this is too cpu and memory intensive for the sensor to be able to handle.

So instead of trying all 8 possibilities the users chooses the operating system that is the most common in their network. The sensor will then reassemble the fragments in the same method as that operating system.

Understand that this ONLY applies to Fragment OverWrites.

For normal fragments where one fragment ends and the next begins, and for fragment Overlaps where both fragments have the same data; this setting doesn't matter because all operating system will reassembly them the same way.

So if you are concerned about this, then you need to monitor for the fragment OverWrite alarm.

The operating system configuration only comes into play when the fragments OverWrite one another, and you will see the fragment OverWrite alarm being triggered.

hi marcabal thanks a lot man. u have explained it so well. really great.

buddy does this apply to promiscious mode also or only to inline mode.

waiting for ur reply.

regards

sebastan

hi buddy there is still one doubt abt the same. as u said the fragment reassembly mechanism for fragments with different data for the same area of the reassembled datagram.

in the example u mentioned. that when the 2 fragments arrive at the ips sensor. say the sensor reassembles them as xy and finds no malicious activity and passes the fragments to the end host.

since there were 2 frgaments won;t the ips drop the other fragment.

just curious abt the same.

waiting for ur reply.

pls reply back.

regards

sebastan

The reassembly method only applies to promiscuous sensors.

With a promiscuous sensor both fragments will get to the end host and the sensor has to make a guess at how to reassemble them when they have an overwrite.

The reassembly configuration does NOT apply to InLine sensors.

Why?

The sensor does not have to make a guess at what the end host will do.

The sensor will either deny the overwriting fragments and stop both fragments from ever getting to the end host.

OR can be configured to modify the packets. When modifying the packets the sensor will remove the overwriting data from one of the packets. It will in effect shrink one of the fragments so the data for that area of the packet exists in only one of the packets.

The end host then will NOT see an overwrite. So all end hosts will see them as normal fragments and all types of operating systems will assemble them the same way.

The InLine sensor, therefore, does not have to make a guess at what the end host operating system is.

hi marcabal thanks a lot once again.

but as u said this feature can be used in promiscious mode only. then in promiscious mode the overwrite packets have anyways reached the end hosts cause the sensor is receiving a capture of the packets.

then how will the sensor treat the packet i mean what sense does it make for the sensor to re-assemble the packet.

i mean if there was an attack in the overwrite then the attack has already reached the host .

i am not getting it. maybe i am missing on something very silly or i am just goofingup.

can u help me buddy. it would be of great help to me. thanks once again. waiting for ur reply.

regards

sebastan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: