| The BSD Packet Filter or BPF is a raw interface of data link layers on some Unix-like systems. It provides a method to allow raw link-layer packets to be sent and received. In addition, it supports filtering packets, so that only interesting packets can be sent to the software of upper layer by using BPF. This can avoid copying the other packets which are not necessary from the operating system kernel to software running in user mode. So the burden of capturing packets and the size of buffer are reduced, and then the packet loss ratio is dropped. But there is a problem that BPF cannot handle IP fragmentation.Now the packet filtering equipment based on BPF model can only handle the first fragment of IP fragments and refuses to handle the other fragments, which causes that the packet filtering equipment merely rejects or receives the first fragment. There are two different kinds of ideas to solve the above problem:the first is handling each IP fragments during reorganization in kernel mode or with the help of third-party software in user mode, and the second is adding the function of handling IP fragments to BPF model in kernel mode. This paper adopts the second idea because relatively it is able to filter the IP fragments in the packet filtering equipment, which can better solve the problem at the point of origin, and improve the efficiency of packet transmission. And this paper proposes a new thinking of defending IP fragmentation attack in kernel mode based on the above method which filters IP fragments in the packet filter.Due to some fragments of IP fragmentation may disorderly and even not reach the receiving terminal, and at the same time only the first fragment of IP fragment contains the information of transport layer protocol header, so the paper will discuss two different cases. First, if the fragment offset in IP header of the arriving packet is zero, we will determine whether the packet is the first fragment of IP fragments according to flag bits in IP header. If yes, we will save the16bits identifier in IP header and some other relating information like source IP address in a buffer, and the buffer will be emptied after a specified period of time. If not, the packet is not a IP fragment and it can be normally handled by BPF. Second, if the fragment offset in IP header of the arriving packet is not zero, it must be non-first fragment of IP fragments. If the first fragment of IP fragment with the same identifier is received before a specified period of time, we will share its transport layer protocol header information; If not, we will save the relating information of the non-first fragment of IP fragments in a buffer. If we have received the first fragment of IP fragments having the same identifier within a specified period of time, the non-first fragment will share the transport layer protocol information of this first fragment; if not, this non-first fragment of IP fragments will be abandoned. The experimental results show that the above method makes BPF correctly and efficiently handle non-IP fragmented packets and all kinds of IP fragmented packets, and effectively prevent some certain types of IP fragmentation attacks.Finally, we make a summary and do a proper outlook for future work. |
PDF Full Text Request