Explore new firmware that’s helping organizations see attacks as they happen.
Security attacks are constantly evolving, making it harder for your intrusion detection and prevention systems (IDS and IPS, respectively) to keep pace. Network security professionals have been contending with a variety of vulnerabilities for years, and while most network devices will drop certain types of malicious packets, it’s still important to keep an eye on the source of the threat to ensure you are detecting and preventing future malware variants. Gaining visibility to IP fragmentation attacks has been a difficult security challenge. Until now.
IP fragmentation occurs when the data being transmitted over a network connection exceeds the receiving network’s maximum transmission unit (MTU) and must be broken down into smaller fragments. Once the fragments reach their destination, they are reassembled. This process can be very beneficial to networks by:
• Enforcing traffic ordering by allowing priority packet fragments to get processed first
• Providing compatibility to network devices with a lower MTU than the size of the packet going over the network
• Optimizing the network’s overall performance
However, IP fragmentation also introduces opportunities for hackers to inject malicious data into your network, bypassing certain security devices like firewalls or your IDS or IPS. Most of these devices have been designed with measures to mitigate this type of attack, but two common strategies used by hackers have been found to successfully bypass these security features.
How Hackers Use IP Fragmentation to Get Into Your Network
1. Tiny Fragments: Some security devices filter out unwanted traffic by looking at specific parts of the packet header, however, with the use of Tiny Fragments, hackers can break the header, which can be as large as 60 bytes long, into fragments as small as 8 bytes. Since the entire packet isn’t available for the device to analyze, the fragments could pass through, including malicious data.
2. Overlapping Fragments: This method takes advantage of the reassembly process once fragments are filtered through the IDS. Pieces of malicious data are initially transmitted with “safe” criteria in the header along with random data, allowing them through the filters. Later on, the remainder of the attack is sent under the same criteria, allowing it to once again pass through undetected, then override the random data to complete the attack.
A strong security architecture needs to be able to identify and stop attacks, but also identify their source and prevent future iterations or variations of the original attack. Datacom Systems has recently released Version 1.4 firmware for several of our VERSAstream™ network packet brokers, allowing access to fragmented packets that will provide connected monitoring tools with enhanced visibility. This will help monitoring tools like firewalls, IDS, and IPS to better detect instances of attacks that are using tiny or overlapping fragmented packets. These typically unseen packets can now be visualized and their sources identified to prevent future security issues.