SEC 504 Fragment Offset question

So i'm in the middle of my GCIH studies and reading the 504.2 book. In the book it mentions evading IPS/IDS systems and covers a section with Fragment offset. If my understanding is correct, it determines where the packet fragment belongs when being reassembled on the other side once it bypasses the IPS/IDS?

ex: packet 1 has fragment offset of 2
packet 2 has fragment offset of 4
packet 3 has fragment offset of 1
packet 4 has fragment offset of 3

When these packets are reassembled on the other side, the receiver will interpret the order of packet 3, packet 1, packet 4 and finally packet 2?

Is my understanding of this correct?

Find more posts tagged with

Comments

TechGromit

kMastaFlash wrote: »

When these packets are reassembled on the other side, the receiver will interpret the order of packet 3, packet 1, packet 4 and finally packet 2?

Is my understanding of this correct?

No, the offset is not the order of reassembling the packets. Lets say I want to send a command to delete your database,
I want to sent "Drop Database", but your IDS/IPS is screening for just such a command. What I could do is create packet fragments.
The 1st fragmented packet I send you says 'Drop doorknob', the IPS/IDS allows the packet through, because it not a violation of the rules it was given. Now the second fragmented packet I sent is "Database" with an offset of 5. again it doesn't meet the IDS/IPS rule set and allows it though.
Now the fragments are joined together, and with an offset of 5, it counts 5 characters over and replaces doorknob with database, the reassembled packet is now "Drop Database".

[Deleted User]

Ok my understanding was wrong then. Thank you TechGromit! so after reading this further using your example, the packet of drop doorknob and database would have the same IP ID field so it would know that they belong together with using the offset of 5 to make drop database?

TechGromit

Yes, I forget off had how the packets are identified they go together. They both must be fragmented packets, the first packet could be complete in every way, but is still coded as a fragment by the author, so the second (or more) fragment packets will be assembled to overwrite part of the first or second packet using offset values to create a different packet after it's past the IDS/IPS. If the first packet is marked complete, and you send a fragment packet after it, it will be dropped, because there nothing to attach it to.