Tag Archives: security

BCP38 – RFC2827 Network Ingress Filtering: Defeat DoS with Forged Source Addresses

CCIE Security, , ,

information-security

This Best Current Practice document outlines a common sense approach to preventing Denial of Service (DoS) attacks that are from forged (spoofed) source IP addresses. You should note that this document does not provide advise for preventing DoS attacks from valid sourced traffic. The techniques in this document are also valuable since it ensures you can track ingress traffic back to a legitimate and unique source address.

Of particular concern is when the attacker spoofs the address of another legitimate organization. This might result in the filtering of that legitimate traffic, or worse, the false accusation of wrongdoing against that organization. These legitimate systems of the other organization might also be subject to the SYN ACK traffic from the attacked organization.

Remember, flood type attacks sourced from unreachable addresses are also dangerous. This is because resources on the attacked device can become depleted as the device reserves resources in an attempt to respond to the incoming traffic.

The Best Current Practice recommends an ingress filter which restricts the traffic accepted to only that sourced from the legitimate network or networks that exist behind the filtering device.

The document also makes it clear that certain forms of special services might be impacted with such filters. For example, Mobile IP could be problematic in such an environment.

Should you be interested in reading the full document as you prepare for your written exam – it is located here.

The Mechanics of IPv4 Fragmentation

CCIE Security, , ,

Apartment-Audience-Fragmentation

It is important that we understand IPv4 fragmentation as we study for many Cisco and related certifications.

Remember that the IPv4 header has several fields and flags within fields that are critical to this process. This article will review the process and will also point out these important values in the IPv4 header that are critical to the process.

When the sending router in the IPv4 network sees the MTU cannot accommodate the packet size, it will fragment the packet. The key to this process is the fact that the receiving system must be provided with the appropriate information in order for it to perform the reassembly.

The first field that is critical is the Total Length field in the IPv4 header. As you might guess, after the fragmentation, this value indicates the total length of the fragment.

A unique identifier is assigned to each message being fragmented. This value is placed in the Identification field in the IPv4 header of each fragment sent. The Identification field is 16 bits wide, so a total of 65,536 different identifiers can be used. The source device decides on the specific method for ensures each ID value is unique.

Another key value in the header that is used is the More Fragments flag. This flag is set to a 1 for all fragments except the last one, which is set to 0. When the fragment with a value of 0 in the More Fragments flag is seen, the destination knows it has received the last fragment of the message.

The other critical field is the Fragment Offset field. This field solves the problem of sequencing fragments by indicating to the recipient device where in the overall message each particular fragment should be placed. The field is 13 bits wide, so the offset can be from 0 to 8191. Fragments are specified in units of 8 bytes, which is why fragment length must be a multiple of 8.

While the above recaps what is required for the fragmentation process, there are some other values in the header that are related to fragmentation. Let’s quickly review those:

  • The Copied option – if a packet containing options must be fragmented, some of the options may be copied to each of the fragments – this is controlled by the Copied setting in each option field.
  • The Don’t Fragment flag – this flag can be set to 1 by a transmitting device to specify that a datagram not be fragmented in transit. This is often also for testing the maximum transmission unit (MTU) of a link.