What is an IP fragmentation attack?
If you have ever found your favorite website not opening, one of the reasons for that might be a hacker attack. Among the many things they manage to intercept is the way an IP transfers information to its destination.
Hackers have been employing this cyber attack for many years. Even though, internet providers now have way more means to prevent it, cybercriminals still use it as a low-hanging fruit.
Below we will explain how it works and what are the methods to prevent it.
How does IP fragmentation work?
To understand IP fragmentation attacks, you need to understand IP fragmentation, and to understand IP fragmentation, you need to understand packet switching.
What is packet switching?
Most devices send data in IP packets of a specific size. This is called packet switching.
Packet switching can be connection-based or connectionless. Connection-based packet switching delivers and receives data in a predetermined order and establishes a communication route beforehand.
Connectionless packet switching is when every data packet is self-sufficient and routed independently rather than in a pre-arranged path. These packets are called datagrams. Datagrams travel in random order. Because of this less-structured communication method, they can be used to launch attacks on servers.
What is fragmentation?
IP fragmentation is the process of dividing a datagram into smaller chunks of information called packets. These need to be of a specific size so that the receiving parties could process them and transfer data successfully. You can think of this requirement as a work desk – there’s only so much stuff you can fit on it at once before things start falling off.
All these packets are then reassembled by the receiving party so they can understand the data they got. If the datagram is too big, a server can either drop it or re-fragment the packet.
What is an IP fragmentation attack?
An IP fragmentation attack uses IP fragmentation to disrupt services or disable devices. This makes it a denial of service (DoS) attack.
There are many forms of IP fragmentation attacks. They generally involve sending datagrams that will be impossible to reassemble upon delivery. The goal is to abuse servers’ resources and prevent them from performing the operations they are supposed to.
These are some of the most widely used IP fragmentation attacks:
Tiny fragment attack
Every IP packet consists of a header and a payload. A header contains the information directing the packet to its destination, while the payload is a body of data it carries towards it.
A tiny fragment attack occurs when a tiny packet fragment gets into the server. This happens when one of the fragments are so small that it can’t even fit its own header. Part of that packet’s header is sent as a new fragment. This can cause reassembly problems and shut down a server.
UDP (Used Datagram Protocol) and ICMP (Internet Control Message Protocol) fragmentation attacks
In these attacks, servers are flooded with oversized or otherwise corrupt packets that they must reject. This can quickly overload a server’s resources and prevent it from performing its intended operations.
TCP (Transmission Control Protocol) fragmentation attack (or teardrop attack).
The Teardrop attack uses packets designed to be impossible to reassemble upon delivery. They can be incomplete or overlapping. It is usually directed towards defragmentation or security systems.
Without proper protection, these packets can cause an operating system to freeze or crash as it unable to process them.
How to protect yourself from IP fragmentation attacks
You can minimize the risk of an IP fragmentation attack by employing one of these methods:
- Inspect incoming packets using a router, a secured proxy server, firewalls, or intrusion detection systems.
- Make sure that your OS is up to date and has all the latest security patches installed.
- You can block fragmented IP packets by cutting your connection with anyone who sends them. However, some benign connections (e.g., mobile devices) use fragmented packets, so disabling them might cause disruptions for your traffic.
A multilayered approach works best in this case. We recommend using the first two methods for the best balance of protection and connectivity.
Want to read more like this?
Get the latest news and tips from NordVPN.