mod6mod6Advanced ConceptsAdvanced Conceptslinks../mod6/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsidsl6_011Welcome to the Advanced Concepts in Incident Detection lesson. To effectively analyze intrusion detection systems, or IDSes, you must become familiar with advanced IDS concepts. When you have completed this lesson, you will be able to identify fragmentation and its risks, and identify segmentation and its risks. There are four topics in this lesson. After you have completed the Introduction, you will learn about the fragmentation process, and review a fragmentation example. You will also recognize small fragment attacks and overlapping fragments. You will identify reassembly with overlapping fragments and reassembly using Snort. Then, you will learn about segmentation, review a small segment example, and recognize how the Network-Based Intrusion Detection System, or NIDS, relates to segmentation. Screen 1 of 14 and Launch page: Please use the up and down arrows to navigate through Introduction to D O D I D S Analysis Course, Advanced Concepts in Incident Detection. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. You can access the glossary and a list of resources at any time without losing your place in the course. Screen 1 of 14. Topic title: Introduction. Screen title: Objectives and Topics. Bulleted text and text boxes appear with objectives and topics in support of audio. Text box displays text References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. Rollover text displays NIDS Network Based Intrusion Detection System.Advanced IDS Conceptsidsl6_022While fragmentation and segmentation are fundamental concepts for networking, these are advanced concepts for NIDS analysts. Why is this? Because normal and benign fragmentation and segmentation regularly occur during network operations. However, attackers frequently abuse fragmentation and segmentation to execute advanced techniques to try and evade NIDS. Attackers craft fragmented and segmented packets that blend in with normal network traffic, so as not to raise any flags on the NIDS. While both processes involve breaking data units into smaller pieces, there are important differences. Let's take a look at fragmentation first. Screen 2 of 14. Topic title: Introduction. Screen title: Advanced I D S Concepts. Text appears. Image of a flat computer device appears labeled NIDS. An animation shows groups of encircled ones and zeroes moving toward the device. Some of the groups appear highlighted in support of audio.FragmentationFragmentation Overviewiidsl6_033Fragmentation occurs at layer three of the OSI model. Remember that fragmentation is a normal network operation that occurs when packets are too large for a network, such as when data packets leave an Ethernet network and enter a cellular network. When a router receives a packet destined for a network it is connected to, it checks a pre-negotiated maximum packet size for the next hop called the Maximum Transmission Unit, or MTU. If the packet size exceeds the MTU, the router fragments the packet into pieces that are small enough to make it across the network. You can think of packet fragments as cars in a fragment train, where the component fragments are part of the same fragment train. The cars split up and proceed on different tracks. When the cars reach their destination, where the packets are reassembled, they return to their rightful places in the fragment train. The question is, how does the host server know which packets belong together, and in what order? For this, we turn to the IP headers that travel with each fragment. There are certain fields in the header that associate a fragment with a packet, and define its position in the original packet. Let's look at the IP header fields related to fragmentation. The Identification field contains a unique 16-bit value associated with the original packet. All the fragments of the packet have the same Identification field value. The Flags field is an important fragmentation field. It has 3 bits. Bit 1 is reserved and must be set to zero. Bit 2 is the Don't Fragment, or DF, flag. If the DF flag is set to 1, the packet cannot be fragmented. If the packet is too large to send to the next router, and the DF flag is set to 1, the router cannot fragment the packet and the packet will be dropped. Bit 3 is the More Fragments, or MF, flag. The MF flag is set for all packet fragments, except the last one, which identifies the fragment as the last one in the packet. The Fragment Offset field indicates the fragment's position in the packet. The fragment offset is set to zero for the first packet fragment. The Header Checksum field is indirectly associated with fragmentation, in that the header checksum of each fragment will change based on the changes to the header fields. Screen 3 of 14. Topic title: Fragmentation. Screen title: Fragmentation Overview Image labeled O S I appears with a stack of seven text boxes labeled from top to bottom as Application, Presentation, Session, Transport, Network, Data Link, and Physical. The Network layer is highlighted and the text layer 3 Fragmentation appears next to it. An animation displays a group of encircled ones and zeroes labeled large packet moving toward a router image labeled Ethernet. Another router image appears labeled cellular. These router images are connected by two lines. Text displays packet size greater than M T U. An animation shows the encircled ones and zeroes splitting into smaller encircled groups of ones and zeroes. These groups appear connected by a line and are labeled and sequenced 4 3 2 and 1. Animation shows the encircled ones and zeroes moving out of sequence and onto the lines connecting the two router images. A server image appears labeled Destination Host. The encircled ones and zeroes move toward the server image, fall into the original sequence 4 3 2 and 1, and appear connected by a line. Ones and zeroes are highlighted and text appears in support of audio. The animations repeat. A rectangular image appears divided into five rows. Each row is divided into labeled sections displaying data packet header fields. Row 1 displays Version, I H L, Type of Service, and Total Length. Row 2 displays identification, Flags, and Fragment Offset. Row 3 displays Time to Liv, Protocol, and Header Checksum. Row 4 displays Source Address. Row 5 displays Destination Address. The top of the rectangle displays is divided into 8 equal sections representing chunks of 4 bits. The top edge is labeled 0 4 8 12 16 20 24 28 and 31. Text displays I P headers travel with fragments. This image enlarges. Sections appear highlighted. Callouts appear in support of audio. Text appears. Rollover text displays O S I model Open System Interconnection Model. I P Internet Protocol. D F Don't fragment. M F. More fragments. M T U Maximum Transmission Unit.Fragmentation Exampleiidsl6_044Let's look at an example of fragmentation. Suppose a router receives a 2000-byte packet, with a 20-byte header and a 1,980-byte payload or data. The router looks to the next hop on the route and sees that there is a 1500-byte MTU. Since the packet's DF flag is set to zero, the packet can be fragmented. Let's assume the packet is fragmented into two parts. In the first packet, the header is 20 bytes long, and its payload or data is 1,480 bytes long. The second fragment's header is also 20 bytes long, but its payload is 500 bytes. The header fields in both fragments have the same values, except for the Total Length, Flags, Fragment Offset, and Header Checksum fields. The Flags field of the first fragment has the MF bit set to 1, which means more fragments are coming. However, the Flags field of the second and final fragment has the MF bit set to zero, which means there are no more fragments. Another difference between the two headers is that the Fragment Offset field of the first fragment is set to zero, which indicates it is the first fragment. The header in the second fragment has the Fragment Offset field set to 1480, which indicates that this fragment begins after the 1,480th byte of the first fragment. In this way, packet fragments are equipped with IP header fields that identify their place in the original packet. Screen 4 of 14. Topic title: Fragmentation. Screen title: Fragmentation Example. Text appears. An image representing a packet header appears as a rectangle divided into five rows. Each row is divided into labeled sections displaying data packet header fields. Row 1 displays Version, I H L, Type of Service, and Total Length. Row 2 displays identification, Flags, and Fragment Offset. Row 3 displays Time to Liv, Protocol, and Header Checksum. Row 4 displays Source Address. Row 5 displays Destination Address. The top of the rectangle displays is divided into 8 equal sections representing chunks of 4 bits. The top edge is labeled 0 4 8 12 16 20 24 28 and 31. Text and sections of the packet header image appear highlighted in support of audio. Two router images appear. Another image of a packet header appears. Sections of the image appear highlighted and display callouts in support of audio. Packet header images and text fade off and four images representing data packets appear labeled packet fragments. Packet header image reappears labeled packet fragment header fields with identification, Flags, and Fragment Offset fields highlighted.Small Fragment Attacksidsl6_055While normal fragmentation is an orderly process, there is a significant risk that fragmentation can be easily exploited by attackers to evade NIDS. Attackers can deliberately create small fragments. Rather than sending attack traffic in just one datagram, attackers force fragmentation, unnecessarily dividing attack traffic across multiple fragments. This is not hard to do. Tools such as Fragroute or Fragrouter have made it very easy to force fragmentation. Attackers try to make the packets look one way to the IDS, but look another way to the receiving host. This is referred to as fragmentation blindness, in that the packet is fragmented in such a way that the NIDS does not see the true nature of the original packet. The NIDS can avoid fragmentation blindness by performing packet reassembly in the same way as the receiving host. Let's take a look at what happens if the NIDS does not do packet reassembly. Consider a scenario where the FTP data Get /etc/shadow is fragmented. Note that /etc/shadow is a file that stores secure user account information in an encrypted format. Assume that we have set up an alert rule using Snort, which is an open source network-based IDS. Analysts can define rules that Snort uses to monitor and analyze network traffic. Based on what Snort identifies, a particular action is taken. In our example, we create a Snort rule to issue an alert when the term shadow is sent by FTP on TCP port 21. The rule says Alert from our variable external net from any port, using TCP protocol, going to home net on port 21. The alert will be displayed as FTP shadow retrieval attempt. Content shadow instructs Snort to look for a pattern, the term shadow , in the packet's payload. Now we'll see how an attacker can manipulate fragmentation to evade the NIDS, and succeed, if the NIDS does not reassemble packets. The attacker forces the packet containing the message Get /etc/ shadow to fragment into two parts, such that the term shadow will not be picked up in fragment 1, which contains only the first part of shadow , or in fragment 2, which contains only the second part of the word shadow. The host reassembles the fragments into GET /etc/shadow , and the attacker copies the shadow file with the secure user account information. If the NIDS does not reassemble the fragments, there is no alert, and the attack goes unrecognized. Screen 5 of 14. Topic title: Fragmentation. Screen title: Small Fragment Attacks. Text boxes display text and bullet points. An image of a server appears with text if NIDS does not do reassembly. An image representing a data packet appears. Text Fragmented et see shadow message appears. Animation shows packet image and text moving toward the server image. Snort logo appears with trademark statement Snort is a registered trademark of Source fire Ink. Text appears. Image labeled fragment 1 offset zero displays 12 boxes in a row with the following characters: G E T blank slash e t c slash s h a. Image labeled Fragment 2 offset 12 displays 12 boxes and the data d o w followed by 7 blank boxes. S h a from fragment 1 and d o w from fragment 2 appear highlighted. 15 boxes appear with g e t space slash e t c slash s h a d o w or get et see shadow message. An animation shows an expanding arrow with moving from the Get et see shadow message toward a server image with a world globe next to it. Two arrows labeled sniff sniff appear between the snort logo and the packet fragment images. Text displays status no match action ignore. Rollover text displays F T P File Transfer Protocol and slash e t c slash shadow or et see shadow is a file that stores secure user account information in encrypted format.Packet Reassemblyidsl6_066Most modern network-based IDSes reassemble packet fragments to prevent fragmentation blindness. However, even so, another problem results from having different operating systems, such as Windows, Macintosh, Linux, BSD, and so on, involved in packet fragmentation. Operating systems reassemble packets in different ways. The NIDS may not know which reassembly method is being used. Mixed environments or environments, with multiple operating systems, can pose issues in atypical circumstances. One such example is fragmentation timeout, which attackers can use to evade IDSes. Particular operating systems can be configured to time out while waiting for all packet fragments to arrive. Attackers can evade IDSes by timing fragments to reach the NIDS after it has timed out but reach the host before it has timed out. The host will see the reassembled packet, but the NIDS will not see everything. Screen 6 of 14. Topic title: Fragmentation. Screen title: Packet Reassembly. Image of a flat network device labeled NIDS appears. Text and logos appear in support of audio. An animation shows a digital clock with advancing seconds. Text displays All fragments have not yet arrived!Overlapping Fragmentsidsl6_077Another way that attackers can evade a NIDS is by overlapping fragments. Overlapping fragments are not normal and do not occur naturally. Attackers deliberately overlap fragments to evade detection. In this example, the first fragment has a fragment offset zero, and says GET /etc/spoon. The second fragment is offset 10, but it should not be, because offset 10 would be stepping on or overlapping the data of fragment one. The second fragment should be pushed to the right. Most IDSes are forgiving of overlapping fragments. These systems reassemble the fragments as stated. In this example, the NIDS would proceed to reassemble the fragments. However, the NIDS may not know how the host will reassemble the overlapping fragments. Many hosts use the Last Rule, which is to allow the current fragment to overwrite the previous fragment. The Linux operating system follows the Last Rule. Other hosts use the First Rule, which does not overwrite previous fragments and gives priority to the first fragment. The Windows operating system follows the First Rule. What message does the NIDS see? What the NIDS will see depends on which reassembly policy or rule the host uses. Select Last Rule and First Rule to see an example of how the reassembly policies work. Overlapping Fragmentsidsl6_07_017 The Last Fragment rule used by Linux gives priority to the current fragment. The first fragment contains GET /etc/spoon. poon is overwritten by the second fragment that contains hadow. The reassembled message is GET /etc shadow. Last RulePopup 1 of 2. Popup title: Last Rule. Text appears. An image representing fragment data appears with four rows labeled Offset, Fragment 1, Fragment 2, and Reassembled Data. Next to each row 15 evenly spaced boxes appear. Boxes in Row 1 Offset display numbers 0 through 14 in each box. Boxes in row 2 Fragment 1 display g e t blank slash e t c slash s p o o n blank. In row 3 Fragment 2, boxes 0 through 9 are blank. Then boxes 10 through 14 display h a d o w. Boxes in row 4 Reassembled data display g e t blank slash e t c slash s h a d o w. Rows are highlighted in support of audio.Overlapping Fragmentsidsl6_07_027 The First Fragment rule used by Windows gives the first fragment priority. The first fragment contains GET /etc/spoon. poon overwrites the second fragment that contains hadow. The reassembled message is GET /etc spoonw. First RulePopup 2 of 2. Popup title: First Rule. Text appears. An image representing fragment data appears with four rows labeled Offset, Fragment 1, Fragment 2, and Reassembled Data. Next to each row 15 evenly spaced boxes appear. Boxes in Row 1 Offset display numbers 0 through 14 in each box. Boxes in row 2 Fragment 1 display g e t blank slash e t c slash s p o o n blank. In row 3 Fragment 2, boxes 0 through 9 are blank. Then boxes 10 through 14 display h a d o w. Boxes in row 4 Reassembled data display g e t blank slash e t c slash s p o o n w. Rows are highlighted in support of audio.Screen 7 of 14. Topic title: Fragmentation. Screen title: Overlapping Fragments. Text and bullet points appear. Image labeled fragment 1 offset zero displays 14 boxes in a row with the following characters: G E T blank slash e t c slash s p o o n. S p o o n is highlighted in support of audio. Image labeled fragment 2 offset 10 displays 14 boxes with the first five containing h a d o w. H a d o w appears aligned below fragment one’s p o o n. Fragment image boxes and text are highlighted in support of audio. Animation displays data h a d o w moving back and forth in support of audio. Server image labeled Destination Host appears. An image of a flat computer device appears with text What does the NIDS see? Text boxes labeled Last Rule and First Rule appear selectable as popups. Instructions display select last rule and first rule to see examples.Reassembly Using Snortidsl6_088As we have seen, it is important for the NIDS and the host machines to reassemble packets in the same way. Otherwise, attackers can easily cause fragmentation blindness or exploit overlapping fragments. Some NIDS will let you define their packet reassembly policy so that it matches the policy of the hosts on your network. Snort's Frag3 preprocessor is a configuration option that allows you to reassemble fragments in multiple ways: First, Last, or both. Note that a preprocessor processes the packet data before the data is actually passed through security signatures for analysis. Snort's frag3 preprocessor allows you to specify the reassembly policy for particular IP addresses. Other IDSes may not let you choose policies at all, or may apply a choice of one policy to all fragments. In mixed environments that have more than one OS, such as Linux, BSD, and/or Windows, Snort's Frag3 preprocessor allows you to customize, or tune, reassembly to the host. Select tuning the NIDS reassembly to host to see examples of how to bind the Snort frag3 preprocessor to an OS. Reassembly Using Snortidsl6_08_018 You can use Snort to match or tune the way a NIDS reassembles segments to the way hosts on your network reassemble segments. For example, remember that Linux systems use the Last Rule, and Windows systems use the First Rule. As an example, the IDS is bound to a particular Linux host's IP address. Using Snort, we can bind the preprocessor Frag3 engine to the Linux host at 192.168.1.17. We can also use Snort to follow the First Rule for hosts on the subnet 192.168.23.0/24. In addition, we have to set a default reassembly policy. In this example, we set First, or Windows, fragmentation as the default. Some organizations use the most prevalent system as the default. Others use the most critical system as the default. Choose your default policy carefully. Tuning Reassembly in SNORTPopup 1 of 1. Popup title: Tuning Reassembly in SNORT. Images of a flat computer device labeled NIDS, server labeled Linux host last rule, and windows host first rule appear. Text appears in support of audio. Under text Snort registered trademark will use Linux reassembly for host 1 92 dot 1 68 dot 1 dot 17 appears the text pre processor frag 3 underscore engine colon space policy space linux space bind underscore to space open bracket 1 92 dot 1 68 dot 1 dot 17 slash 32 closed bracket. Under text Snort registered trademark will use Windows reassembly for hosts on 1 92 dot 1 68 dot 23 dot zero slash 24. pre processor frag 3 underscore engine colon space policy space bind underscore to open bracket 1 92 dot 1 68 dot 23 dot zero slash 24 closed bracket. Under text organization must define a default policy appears the text preprocessor space frag 3 underscore engine colon space policy space first.Screen 8 of 14. Topic title: Fragmentation. Screen title: Reassembly Using Snort. Text and bullet points appear. Snort logo appears with a trademark symbol and statement Snort is a registered trademark of Source fire Ink. Tuning the NIDS assembly to the host to see examples appears selectable as a popup. Instructions appears to select tuning the NIDS reassembly to the host to see examples. Rollover text displays preprocessor is Software that processes packet data before the data is actually passed through security signatures for reassembly. O S is Operating System. B S D is Berkeley Software Distribution Unix based operating system.Knowledge Checkidsl6_099Knowledge Check1550625Fragmentation occurs at the Network layer of the OSI model of interoperability.TrueFalseCorrect. Fragmentation occurs at the Network layer of the OSI model of interoperability.Incorrect. Fragmentation occurs at the Network layer of the OSI model of interoperability.Attackers manipulate fragment offsets to overlap fragments.TrueFalseCorrect. Fragmentation poses the risk that attackers will manipulate offsets to evade an IDS.Incorrect. Fragmentation poses the risk that attackers will manipulate offsets to evade an IDS.Fragmentation attacks are rare, because it is hard to force fragmentation.TrueFalseCorrect. Fragmentation attacks occur frequently because tools for forcing fragmentation are easy to use and readily available on the Internet.Incorrect. Fragmentation attacks occur frequently because tools for forcing fragmentation are easy to use and readily available on the Internet.Snort's® Frag3 preprocessor lets you customize reassembly policies for individual IP addresses and operating systems.TrueFalseCorrect. Snort's® Frag3 preprocessor allows you to define reassembly policies for individual IP addresses and operating systems. This reduces the risk of fragmentation attacks by ensuring the NIDS and hosts reassemble the packets in the same way.Incorrect. Snort's® Frag3 preprocessor allows you to define reassembly policies for individual IP addresses and operating systems. This reduces the risk of fragmentation attacks by ensuring the NIDS and hosts reassemble the packets in the same way.NIDS must perform packet reassembly to avoid fragmentation blindness.TrueFalseCorrect. If the NIDS does not reassemble packets, fragmentation blindness can occur. Even when the NIDS does reassemble packets, the NIDS and host should use the same reassembly method.Incorrect. If the NIDS does not reassemble packets, fragmentation blindness can occur. Even when the NIDS does reassemble packets, the NIDS and host should use the same reassembly method.Now check your knowledge of fragmentation. Screen 9 of 14. Topic title: Fragmentation. Screen title: Knowledge Check. This knowledge check presents five statements. For each statement there are two possible answers, true or false. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections.SegmentationSegmentation Overviewidsl6_1010There is an alternative to fragmentation for sending messages that exceed the next hop's MTU. While fragmentation involves breaking IP packets into smaller pieces, segmentation involves breaking TCP segments into smaller segments. To understand segmentation, let's revisit the OSI model. Fragmentation involves breaking IP packets at layer 3 of the OSI model. Segmentation involves segments at the Transport layer, layer 4. The mnemonic SPF 10 segments, packets, frames, ones and zeros can help keep these ideas straight. Layer 1 concerns ones and zeros, or the physical signals and the hardware. Layer 2 works with frames. Layer 3 deals with packets and fragmentation, while at Layer 4 we have segments and segmentation, SPF10. So segmentation happens at Layer 4, and involves breaking data segments into smaller segments. A segment is the actual data or payload embedded in TCP, after the TCP header. Consider the fact that a typical MTU is 1500 bytes. A typical IP header is 20 bytes, leaving 1480 bytes for the payload. And a typical TCP header is 20 bytes. This leaves a maximum of 1460 bytes of data per packet, after the 20-byte IP header and 20-byte TCP header. Easy, right? Now, what if we are sending very large amounts of data beyond 1,460 bytes per packet? We can let fragmentation occur; however, fragmentation can be easily manipulated by attackers through, for example, small packet attacks, overlapping fragments, and NIDS fragmentation timeouts. Alternatively, we can use segmentation to divide data into smaller portions at Layer 4. Normally, the operating system selects the segment size, but the Maximum Segment Size, or MSS, is a TCP option that you can use to force segmentation. There is no minimum segment size. A segment can be broken into extremely small segments. Again, as in fragmentation, attackers can use very small segment sizes to try and bypass IDSes. Let's take a look at an example of normal and abnormal segmentation. Screen 10 of 14. Topic title: Segmentation. Screen title: Segmentation Overview. Text fragment train appears. An animation displays a group of encircled ones and zeroes labeled large packet moving toward a router image labeled Ethernet. Another router image appears labeled cellular. These router images are connected by two lines. An animation shows the encircled ones and zeroes splitting into smaller encircled groups of ones and zeroes. These groups appear connected by a line and are labeled and sequenced 4 3 2 and 1. Animation shows the encircled ones and zeroes moving out of sequence and onto the lines connecting the two router images. The encircled ones and zeroes move toward a server image, fall into the original sequence 4 3 2 and 1, and appear connected by a line. Text appears in support of audio. An image labeled O S I model appears with a stack of seven text boxes labeled from top to bottom as Application, Presentation, Session, Transport, Network, Data Link, and Physical. Text packet fragmentation appears next to the network box. The text Segments layer 4, Packets layer 3, Frames layer 2, and ones and zeroes layer 1 network access appear next to the Transport, network, and data link boxes respectively. Images and text fade off. Router image with text packet M T U equals fifteen hundred bytes appears. A rectangular image representing a packet header appears divided into five rows. Each row is divided into labeled sections displaying data packet header fields. Row 1 displays Version, I H L, Type of Service, and Total Length. Row 2 displays identification, Flags, and Fragment Offset. Row 3 displays Time to Liv, Protocol, and Header Checksum. Row 4 displays Source Address. Row 5 displays Destination Address. The top of the rectangle displays is divided into 8 equal sections representing chunks of 4 bits. The top edge is labeled 0 4 8 12 16 20 24 28 and 31. An additional row appears labeled 14 80 bytes of data. Another image packet header appears with the additional row labeled 14 60 bytes. Callouts appear in support of audio. Text and bullet points appear. Rollover displays M S S Maximum Segment Size.Small Segment Exampleidsl6_1111Consider an example of normal and abnormal segmentation of a message that contains a GET /etc/shadow FTP attack. In both normal and abnormal segmentation, one thousand bytes of data need to be transmitted. The thousand bytes of payload fit into one segment, because it is less than the normal TCP segment size of 1,460. Remember that the typical MTU is 1,500 bytes, and that typical IP and TCP headers are 20 bytes each. This leaves 1,460 bytes for the data section. So this data is sent as one packet. The NIDS must analyze one packet to analyze all of the data. Represented visually, the segment looks normal: 20-byte IP header, 20-byte TCP header, with the message GET /etc/shadow. Abnormal segmentation would be a segment size of four bytes. In this case, the segment is divided and sent in two hundred fifty individual packets. The NIDS must analyze the two hundred fifty packets in order to analyze all of the data. Represented visually, the segments do not look normal. 20-byte IP header. 20-byte TCP header. Get. 20-byte IP header. 20-byte TCP header. slash etc. 20-byte IP header. 20-byte TCP header. Slash sha. 20-byte IP header. 20-byte TCP header. dow. Screen 11 of 14. Topic title: Segmentation. Screen title: Small Segment Example. Text displays example of normal and abnormal segmentation and f t p attack get et see shadow. Table displays four rows labeled data size, segment size, packets sent, and packets NIDS must analyze. Columns are labeled Normal segmentation and abnormal segmentation. Data size for normal segmentation is 1 thousand abnormal is 1000. Normal segment size is 1 thousand abnormal is 4. Normal packets sent is 1 abnormal is 2 hundred 50. normal packets nids must analyze is 1 abnormal is 2 hundred 50. Text Abnormal T C P segment size displays. Four images representing abnormal segmentation appear. Each image shows two rows labeled 20 byte I p header and 20 byte t c p header. Each image displays segment data contained in boxes. Data is narrated and highlighted in support of audio. Rollover text displays slash e t c slash shadow or et see shadow is a file that stores secure user account information in encrypted format.NIDS and Segmentationidsl6_1212It is important for IDS analysts to be aware of how attackers may use small segments to evade detection. Attackers know that a NIDS will automatically try to reassemble segments, resulting in an increased load on the IDS. Attackers know that a NIDS may miss the attack because of the heavy load. An advanced technique used by attackers is to send a large number of small innocuous segments so that the NIDS may miss other attacks, due to the heavy load. A NIDS may issue small segmentation alerts when small segments are detected. An attentive analyst examines small segment alerts from the NIDS to see if there is a pattern or larger attack underway. It is important for analysts to be aware of how segmentation increases the load on NIDS, and why attackers may use small segments to evade detection. Screen 12 of 14. Topic title: Segmentation. Screen title: NIDS and segmentation. Text and bullet points appear.Knowledge Checkidsl6_1313Knowledge Check1550625Which facts related to segmentation pose the greatest risk of attacks?The maximum segment size is a TCP option.
Segmentation occurs at Layer 4 of the OSI model.TCP does not set a minimum segment size.
A NIDS automatically performs segment reassembly.The maximum segment size is a TCP option.
A NIDS generates small segment alerts.Correct. The two facts that TCP does not set a minimum segment size, and that NIDS automatically performs segment reassembly, make it possible for attackers to evade detection by overloading the system with small segments.Incorrect. The two facts that TCP does not set a minimum segment size, and that NIDS automatically performs segment reassembly, make it possible for attackers to evade detection by overloading the system with small segments.Now check your knowledge of small segment attacks and their risks. Screen 13 of 14. Topic title: Segmentation. Screen title: Knowledge check. This knowledge check presents a multiple choice question. There are three possible answers. Use the down arrow key to move through the answer options. Use the enter key to make your selections. ConclusionSummary and Conclusionidsl6_1414Congratulations! You have completed the Advanced Concepts in Incident Detection lesson. You should now be able to identify fragmentation and segmentation, and their risks. Screen 14 of 14. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.