Search Icon
2024 Program

PMTUD is not Panacea: Revisiting IP Fragmentation Attacks against TCP

Xuewei Feng (Tsinghua University), Qi Li (Tsinghua University), Kun Sun (George Mason University), Ke Xu (Tsinghua University), Baojun Liu (Tsinghua University), Xiaofeng Zheng (Institute for Network Sciences and Cyberspace, Tsinghua University; QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Qiushi Yang (QiAnXin Technology Research Institute & Legendsec Information Technology (Beijing) Inc.), Haixin Duan…

There is a widespread belief that TCP is not vulnerable to IP fragmentation attacks since TCP performs the Path Maximum Transmission Unit Discovery (PMTUD) mechanism by default, which can avoid IP fragmentation by dynamically matching the maximum size of TCP segments with the maximum transmission unit (MTU) of the path from the originator to the destination. However, this paper reveals that TCP is in fact vulnerable to IP fragmentation attacks, which is contrary to the common belief.

We conduct a systematic study on the complex interactions between IP fragmentation and TCP, and we discover two key scenarios under which IP fragmentation can still be triggered on TCP segments even if the originator performs PMTUD. First, when the next-hop MTU of an intermediate router is smaller than the originator’s acceptable minimum path MTU, TCP segments from the originator will be fragmented by the router. Second, when the originator’s path MTU values between the IP layer and the TCP layer are desynchronized due to a maliciously crafted ICMP error message, the originator could be tricked into fragmenting TCP segments. Once IP fragmentation on TCP segments could be falsely triggered, attackers can inject forged fragments into the victim connection to poison the target TCP traffic after successfully addressing practical issues of predicting IPID and deceiving TCP checksum. Our case studies on both HTTP and BGP demonstrate the feasibility and effectiveness of poisoning TCP-based applications via IP fragmentation. We also conduct a comprehensive evaluation to show that our attacks can cause serious damages in the real world. Finally, we propose countermeasures to mitigate malicious IP fragmentation on TCP segments and defeat the attacks.

Paper
Video

View More Papers

Multi-Certificate Attacks against Proof-of-Elapsed-Time and Their Countermeasures

Huibo Wang (Baidu Security), Guoxing Chen (Shanghai Jiao Tong University), Yinqian Zhang (Southern University of Science and Technology), Zhiqiang Lin (Ohio State University)

Read More

HARPO: Learning to Subvert Online Behavioral Advertising

Jiang Zhang (University of Southern California), Konstantinos Psounis (University of Southern California), Muhammad Haroon (University of California, Davis), Zubair Shafiq (University of California, Davis)

Read More

RVPLAYER: Robotic Vehicle Forensics by Replay with What-if Reasoning

Hongjun Choi (Purdue University), Zhiyuan Cheng (Purdue University), Xiangyu Zhang (Purdue University)

Read More

Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of...

Zifeng Kang (Johns Hopkins University), Song Li (Johns Hopkins University), Yinzhi Cao (Johns Hopkins University)

Read More