Breaking up the attack

For a while now, some of the more advanced commercial penetration testing tools have used packet fragmentation techniques to obfuscate vulnerability checks or exploit attempts in an effort to bypass legacy firewall and intrusion detection systems (IDS).

In most cases, depending on the actual device defending the network, there are usually multiple fragmentation techniques and packet-size combinations that are capable of squeezing exploit material past each class of protection device on a network.

As customers deploy and rely on ever more advanced intrusion prevention systems (IPS), which automatically block malicious attacks, there has been a growing need in testing to use tools that employ a range of fragmentation techniques.

By using multiple packet fragmentation techniques, the security consultant is not only able to test the security of the targeted host, but also the robustness of the network-based protection system.

Some fragmentation techniques are more successful than others, depending on the networking protocol being used by the vulnerable service under investigation.

For example, the technique of overlapping packet fragments – so subsequent packets overwrite a few bytes of the previous packet – tend to be effective for text-based protocols such as HTTP.

However, by using tools that combine further obfuscation techniques with fragmentation (such as using chunked encoding within an HTTP POST packet), the security consultant has a higher probability of remaining undetected and delivering an exploit payload.

In fact, the combination of overlapping packet fragments and chunked encoding is such a successful combination for delivering a payload to a web server that it will bypass many current-generation network protection systems.

In the past, many pentesting clients have been surprised to learn that these fragmentation techniques can be used so successfully to bypass their network security. The process of reassembling fragmented packets and identifying their malicious payloads can be very difficult, as well as dangerous for the protection device, as evidenced by the numerous security alerts published on mailing lists such as Bugtraq. Protection systems that rely on string matching and regular expression engines tend to suffer the most and, as a result, are the easiest to defeat.

For a pentester, the adage "fragmentation is my friend" is quite appropriate. In several tests, fragmentation could be used not only to slip exploit payloads past perimeter defences, but also to tunnel data and banned network traffic out of the organisation – accessing external IM services and transferring files, for example.

For many years, there have been a number of open-source or free attack tools available that specialise in the use of packet fragmentation. Over the past few years, some "boutique", commercial penetration tools that include packet fragmentation have also become available.

Today, however, many of the new tools used by attackers provide packet fragmentation as a standard capability that can be tuned just by selecting a few tick-boxes.

It is becoming increasingly important, therefore, that organisations correctly identify network traffic that uses packet fragmentation to hide attacks, and that their protection systems are up to the job.

With the almost ubiquitous deployment of network detection systems, not only are malicious attackers using packet fragmentation to obfuscate their attacks, but several automated worms and bots now also come fully equipped with an array of fragmentation routines ready for use.

The expectation is that specialist packet fragmentation techniques will become more prevalent and be included by default in most tools or applications.

As a result, information security professionals will increasingly need to understand these different techniques, and be capable of not only detecting when they are used, but also of regularly employing them in testing their network defences.

Gunter Ollmann is director of X-Force, Internet Security Systems