Jun 18, 2010

Fragroute – Bug in 24-byte fragmentation

In our Q4 2009 IPS test, we tested Network Intrusion Prevention Systems on their ability to resist 60 different evasion techniques, IP Fragmentation (9), TCP Segmentation (11), RPC Fragmentation (16), URL Obfuscation (15), and FTP / Telnet evasions (9).

On May 19, 2010, TippingPoint brought to our attention a bug in fragroute, the de facto evasion tool for IP fragmentation. This flaw corrupts one of the evasion techniques – 24 byte fragments. Over the past few weeks, NSS Labs has retested all of the products from the Q4 2009 IPS Group Test with an alternate version of the tool that does not corrupt traffic when fragmenting into 24-byte segments.

We found that all of the devices that initially passed this test, continued to pass. In addition, we determined that TippingPoint does block the 24 byte fragmentation evasion with the non-corrupted attack. The findings for all other evasion tests remain unaltered.

The Q4 2009 IPS Group Test is being modified to reflect this update.