IP Fragmentation

Network Security Spring 2021

The goals of this lab are to:

  1. Learn how to inject packets into live networks using raw sockets
  2. Learn about IP fragmentation and the “Ping of Death”

IP Fragmentation

As discussed in lecture, the way that IP fragment offsets are represented in IPv4 headers allows one to incorrectly specify a fragment offset that is larger than the maximum size of an IP datagram as represented by the total length field. That is,

\[ 2^{16} - 21 = 65515 < 65528 = (2^{13} - 1) \cdot 8 \]

If a developer is not careful, one might assume that fragment reassembly buffers could be safely preallocated to be the maximum size of an IP datagram. But, because of the above equation, that assumption is unsafe and could lead to buffer overflows in IP fragment reassembly code.

Exploiting a Vulnerable IP Implementation

The file netsec-lab-ip_frag.img in Canvas contains a vulnerable service that runs a user space TCP/IP stack implemented using picotcp. This implementation has been patched to be vulnerable to the ping of death. Your goal is to exploit this vulnerability and crash the service. The service has been compiled with AddressSanitizer, so any overflow will immediately cause a crash.

The vulnerable TCP/IP stack is exposed to external network traffic via a UDP bridge. To reach the vulnerable network stack, you will need to direct datagrams to the IP address of the container on port 22200/udp. Those datagrams in turn should encapsulate the IP fragments you want to direct to the vulnerable network stack. (You can think of this as a very rudimentary VPN, where the container terminates the VPN traffic and re-injects the encapsulated traffic onto the link connected to the vulnerable stack.)

To construct and inject your packets, you may find libraries such as scapy to be useful.

You can load and run the target image like so:

$ docker load <netsec-lab-ip_frag.img
$ docker run -it --rm -p 22200:22200/udp --privileged netsec-lab-ip_frag

Note that additional capabilities provided by --privileged are needed to create a tap device and access it in promiscuous mode inside the container.

Lab Objectives

Write a program that exploits the vulnerable TCP/IP stack using the ping of death.

Submission Instructions

Package your group’s solution as a gzipped TAR archive. Your solution should expand to the following directory structure.

$ tree -F ip_fragmentation
├── Dockerfile
└── src/

Building and running your image with the target container socket address given as an argument as usual should result in a crash in the target container.

Submit the solution archive to Canvas.