Table of contents
Note: The original experiment is to use the ping command in the virtual machine to send IP packets to the host
IP Fragmentation
Reposted from blog: https://blog.csdn.net/u014594922/article/details/53514503
IP fragmentation is a technical means for transmitting IP packets on the network. When the IP protocol transmits data packets, the data packets are divided into several fragments for transmission, and reassembled in the target system
Different link types stipulate different maximum lengths of link layer data frames, which are called link layer MTU (Maximum Transmission Unit). The common Ethernet MTU is 1500. If the IP protocol transmits data packets and the length of the IP packet is greater than the MTU of the forwarding interface, the data packet will be divided into several fragments for transmission. When the fragmented packet arrives at the receiver, the Receiver completes reorganization
The flag occupies 3 bits , including R bit, DF bit, and MF bit (1 bit each)
R bit: reserved bit;
DF bit: whether fragmentation is allowed; 0 means fragmentation, and 1 means no fragmentation;
MF bit: Whether there are other fragments after this fragment; 1 indicates that there are fragments after it, and 0 indicates that this is the last fragment;
Experimental content
After wireshak starts capturing packets, enter ping www.bilibili.com -l 3000 in cmd and execute
Open wireshak and enter icmp in the display filter. Get 8 packets (including 4 requests and 4 replies)
Taking the first packet (106 packet) as an example, the IP packet has 3 fragments, the fragments are 104 packet, 105 packet, and 106 packet (itself), but the filter condition at this time makes the rest of the fragments hidden
Change the filter condition to ip.addr==112.13.92.199 to display other fragments (take group 106 and its fragments as an example)
Select packet 104, the 2 bits of the flag in the IP header are set to 0, that is, fragmentation is allowed (1 means that fragmentation is not allowed); the third bit in the flag is set to 1, that is, there are other packets after it . And the slice offset is 0, that is, the slice is the first slice
Select packet 105, the third bit in the flag in the IP header is also set to 1, that is, there are other packets after it; and the slice offset is 1480
Select packet 106, the third bit of the flag in the IP header is set to 0, that is, there is no packet after that, that is, the fragment is the last fragment; and the slice offset is 2960 (1480 (packet 104) + 1480 ( Group 105))
3 fragments with a total of 3008bytes=3000bytes (the size set by the -l option in the ping naming) + 8bytes (ICMP header)
hexadecimal representation of the slice offset
Take packet 105 (the second fragment) as an example, its flag is MF=1 and its offset is 1480, expressed as 0x20b9 in hexadecimal
0x20b9 converted to binary is:
001 0 0000 1011 1001 , the first 3 bits are the 3 bits of the identification (in this example, MF=1, that is, the third bit is set to 1), that is, 001; the last 13 bits identify the chip offset (in this example, the chip Offset 1480=b9(185)*8 (sharding takes 8bytes as a unit))
IP Fragmentation Attack
The IP header uses 2bytes (16bit) to represent the length of the entire IP data packet, so the longest IP data packet is 65535 (2^16) bits. Although in general, the receiver will discard those packets whose total length exceeds 65535, if the attacker constructs many small There will be problems when sharding, which may cause crashes or denial of service