Search Icon
Submissions

PMTUD is not Panacea: Revisiting IP Fragmentation Attacks against TCP

Xuewei Feng (Tsinghua University), Qi Li (Tsinghua University), Kun Sun (George Mason University), Ke Xu (Tsinghua University), Baojun Liu (Tsinghua University), Xiaofeng Zheng (Institute for Network Sciences and Cyberspace, Tsinghua University; QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Qiushi Yang (QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Haixin Duan (Institute for Network Science and Cyberspace, Tsinghua University; Qi An Xin Group Corp.), Zhiyun Qian (UC Riverside)

There is a widespread belief that TCP is not vulnerable to IP fragmentation attacks since TCP performs the Path Maximum Transmission Unit Discovery (PMTUD) mechanism by default, which can avoid IP fragmentation by dynamically matching the maximum size of TCP segments with the maximum transmission unit (MTU) of the path from the originator to the destination. However, this paper reveals that TCP is in fact vulnerable to IP fragmentation attacks, which is contrary to the common belief.

We conduct a systematic study on the complex interactions between IP fragmentation and TCP, and we discover two key scenarios under which IP fragmentation can still be triggered on TCP segments even if the originator performs PMTUD. First, when the next-hop MTU of an intermediate router is smaller than the originator’s acceptable minimum path MTU, TCP segments from the originator will be fragmented by the router. Second, when the originator’s path MTU values between the IP layer and the TCP layer are desynchronized due to a maliciously crafted ICMP error message, the originator could be tricked into fragmenting TCP segments. Once IP fragmentation on TCP segments could be falsely triggered, attackers can inject forged fragments into the victim connection to poison the target TCP traffic after successfully addressing practical issues of predicting IPID and deceiving TCP checksum. Our case studies on both HTTP and BGP demonstrate the feasibility and effectiveness of poisoning TCP-based applications via IP fragmentation. We also conduct a comprehensive evaluation to show that our attacks can cause serious damages in the real world. Finally, we propose countermeasures to mitigate malicious IP fragmentation on TCP segments and defeat the attacks.

Paper
Video

View More Papers

Remote Memory-Deduplication Attacks

Martin Schwarzl (Graz University of Technology), Erik Kraft (Graz University of Technology), Moritz Lipp (Graz University of Technology), Daniel Gruss (Graz University of Technology)

Read More

Demo #6: Attacks on CAN Error Handling Mechanism

Khaled Serag (Purdue University), Vireshwar Kumar (IIT Delhi), Z. Berkay Celik (Purdue University), Rohit Bhatia (Purdue University), Mathias Payer (EPFL) and Dongyan Xu (Purdue University)

Read More

EqualNet: A Secure and Practical Defense for Long-term Network...

Jinwoo Kim (KAIST), Eduard Marin (Telefonica Research (Spain)), Mauro Conti (University of Padua), Seungwon Shin (KAIST)

Read More

PoF: Proof-of-Following for Vehicle Platoons

Ziqi Xu (University of Arizona), Jingcheng Li (University of Arizona), Yanjun Pan (University of Arizona), Loukas Lazos (University of Arizona, Tucson), Ming Li (University of Arizona, Tucson), Nirnimesh Ghose (University of Nebraska–Lincoln)

Read More