By: Sajid Ali
Pathan
Investigation and basic Understanding:
In
every IPv4 packet, the byte at offset 9 identifies the protocol encapsulated in
the packet. The most common protocols numbers are 1 (ICMP), 6 (TCP), and 17
(UDP). But here we will discussed protocol 255.
In the document "Protocol Numbers" at http://www.iana.org/assignments/protocol-numbers, The Internet Assigned Numbers Authority lists assignments and technical references for protocol numbers 0 through 134. Protocols 135 through 254 are "unassigned" and 255, the highest possible protocol number, is identified in RFC 3692 as "reserved"
In the document "Protocol Numbers" at http://www.iana.org/assignments/protocol-numbers, The Internet Assigned Numbers Authority lists assignments and technical references for protocol numbers 0 through 134. Protocols 135 through 254 are "unassigned" and 255, the highest possible protocol number, is identified in RFC 3692 as "reserved"
RFC 3692 (Assigning Experimental and Testing Numbers)
Numbers in the experimentation range are similar to those called "Private Use" in RFC 2434 [IANA-CONSIDERATIONS]. They are not intended to be used in general deployments or be enabled by default in products or other general releases.
Most implementations will not do anything special with numbers assigned for testing purposes. In particular, unless a packet or other Protocol Data Unit(PDU) is specifically directed at a device,that device will not even look at the field while processing the PDU. For example, IP routers do not need to examine or understand the Protocol Type field of IP datagrams in order to know how to correctly forward them. In those cases where a packet or PDU is directed at a device, and that device has not been configured to recognize the extension, the device will either ignore the PDU, discard it, or signal an error, depending on the protocol-specific rules that indicate how to process unknown options or features.
Numbers in the experimentation range are similar to those called "Private Use" in RFC 2434 [IANA-CONSIDERATIONS]. They are not intended to be used in general deployments or be enabled by default in products or other general releases.
Most implementations will not do anything special with numbers assigned for testing purposes. In particular, unless a packet or other Protocol Data Unit(PDU) is specifically directed at a device,that device will not even look at the field while processing the PDU. For example, IP routers do not need to examine or understand the Protocol Type field of IP datagrams in order to know how to correctly forward them. In those cases where a packet or PDU is directed at a device, and that device has not been configured to recognize the extension, the device will either ignore the PDU, discard it, or signal an error, depending on the protocol-specific rules that indicate how to process unknown options or features.
Attack mechanism:
Crafted packets Tools are freely available for packet crafting and
injection. For example, hping2 (http://www.hping.org) can be made to create
protocol 255 traffic, using a command such as
hping2 –rawip –ipproto 255 $target; there are other
options for specifying data payload size and injection interval. Packet injection
tools may also be created from scratch using a C compiler.
These packets have large payloads (1440 bytes); each packet uses slightly less than Ethernet's MTU. And they are sent very rapidly.
It's possible that Protocol 255 use for a DDoS (distributed denial-of-service) against the target, or in other words, that hosts at other sites were attempting the same attack concurrently. This type of DDoS attack use 255 protocol with reversed state, connection initiated from inside therefore unable to filtered by firewall rules.
If the device (like, Cisco router or switch) received a packet with protocol 255 it will not recognized that packet because it have no rule to process that type of packet, ultimately the device will signal an error.
These packets have large payloads (1440 bytes); each packet uses slightly less than Ethernet's MTU. And they are sent very rapidly.
It's possible that Protocol 255 use for a DDoS (distributed denial-of-service) against the target, or in other words, that hosts at other sites were attempting the same attack concurrently. This type of DDoS attack use 255 protocol with reversed state, connection initiated from inside therefore unable to filtered by firewall rules.
If the device (like, Cisco router or switch) received a packet with protocol 255 it will not recognized that packet because it have no rule to process that type of packet, ultimately the device will signal an error.
|
RTR#sh int fa 0/0/0 | in protocol
FastEthernet0/0/0 is up, line
protocol is up
425 unknown protocol
drops
|
References:
1. http://www.iana.org/assignments/protocol-numbers
2. http://www.hping.org/
3. http://lists.jammed.com/incidents/2002/07/0068.html
4. http://www.apnic.net/apnic-bin/whois2.pl
No comments:
Post a Comment