Jan 12, 2011

Simulating "Good" Packet Fragmentation

by Roy Scaife

by Roy Scaife

In the last couple of months I've had a recurring customer request: How can I send 'good' fragmented packets? Being able to do this is useful for equipment manufacturers and others who want to understand exactly how their devices will deal with fragmented packets. It’s resource-intensive for inline devices (intrusion prevention systems, etc.) to reassemble many small fragments into a complete packet, so you want to know in advance how your device will handle that situation.

The customers were specifically looking for fragmented packets smaller than the maximum transmission unit (MTU), with all fragments to be sent and reassembled by the server. For example, the Layer 7 application traffic would be fragmented into 100-byte fragments, sent to the server, and then reassembled back to the original complete packet.

I found the answer to this request in the Security component of the BreakingPoint Storm CTM. The Security component has the ability to send Layer 7 application traffic and provide configurable options for fragmentation.

How to Fragment Packets

Configuring the BreakingPoint Storm CTM to send fragmented packets requires a few pieces of information: fragment size, protocol type, and payload. For this blog, we'll use a fragment size of 400 bytes and hypertext transfer protocol (HTTP) with a 2048-byte payload.

I'll go through the following steps to build a simulation on the BreakingPoint Storm CTM for packet fragmentation:

  1. Create a 'singleflow' StrikeList.
  2. Create a new test case and add a Security component.
  3. Configure the Security component to send 400-byte fragments of HTTP traffic.
  4. Execute the simulation and view the packet capture (PCAP) to validate fragmentation.

Step 1: Create a 'singleflow' StrikeList

Within more than 4,500 security strikes provided in the BreakingPoint Storm CTM is one named 'singleflow'. The 'singleflow' strike isn't an exploit in the traditional sense. It is available to allow users to send customized Layer 7 application traffic. With this capability, we can use 'singleflow' in combination with the Security component to configure both the fragmentation size and the MTU limit. This is perfect for our requirements.

  1. From the top menu bar, select 'Managers | Strike Lists.'
  2. From the Strike List window, select 'Strike List | New.'
  3. Enter 'Single Flow' in the Search field and press Enter.
  4. Right-click on the result 'AppSim Superflow Generator: Single Flow' and select 'Add Strike.'
  5. From the top menu, select 'Strike List | Save As' and enter a new for the new Strike List, i.e. 'singleflow.'

Step 2: Create a new test case and add a Security component

  1. From the top menu bar, select 'Test | New Test.'
  2. Select the appropriate Network Neighborhood for your topology.
  3. Select '2. Add a Test Component' and click the 'Security' component.
  4. Click the 'Parameters' tab.
  5. Click the 'Attack Plan Iterations' and enter the number of times to send the superflow, i.e. '4.'
  6. Click the 'Strike List' parameter and select 'singleflow' from the drop-down list:

Step 3: Configure the Security component to send 400-byte fragments of HTTP traffic

  1. Click the 'Evasion Profile' parameter and select 'Edit.'
  2. Scroll down and select 'SELF.AppSimSuperflow.' Select the checkbox and choose a Superflow, i.e. HTTP 2048B:

  3. Scroll down a little farther and select 'IP.MaxFragSize'. Select the checkbox and enter the fragment size, i.e. 400:

  4. Select 'IP.IPEvasionsOnBothSides'. Select the checkbox and enter 'true'.

  5. Select 'Save As' and enter a name for the profile, e.g. 'singleflow-frag.'
  6. Select 'singleflow-frag' from the Evasion Profile drop-down list:

Step 4: Execute the simulation and view the PCAP to validate fragmentation

  1. Click 'Apply' and 'Save and Run.' Note: don't be concerned if your results show failure for allowing traffic to pass. This is exactly what we want — and this could be modified by disabling the default 'Test Criteria.'
  2. In the 'Real Time Statistics' window, click the 'Attacks' tab to see each superflow iteration execute.
  3. Now that we've run the test, let's look at a packet capture to see if the packets were correctly fragmented: Select 'Control Center | Device Status.'
  4. From the 'Device Status' window, click the 'Export Packet Buffer' icon.
  5. Select the physical interfaces used in the simulation and click 'Export.'
  6. Use your favorite PCAP viewing tool — I’m using Wireshark here — to check your results:

Success! The packets were fragmented into 400-byte fragments and reassembled into a single packet. Hopefully, you will find this useful when you add fragmentation to your BreakingPoint simulations.

[Editor's note: Step 3 was amended slightly in October 2011 to reflect an enhanced configuration option.]

Tags:
blog comments powered by Disqus