IP fragmentation attack: Definition, types, and prevention

What is an IP fragmentation attack?

IP fragmentation attacks generally involve sending datagrams that are impossible to reassemble upon delivery. The goal is to abuse servers’ resources and prevent them from performing the operations they are supposed to.

How does IP fragmentation attack work?

IP fragmentation attack targets the way the internet breaks down and transmits data. So to understand the principle of this attack, let’s break down the fragmentation process first. When data packets exceed the maximum transmission unit (MTU) size, the router breaks them into smaller, easier-to-transmit pieces. These fragments are reassembled into the original packet as soon as they reach their destination.

In an IP fragmentation attack, the attacker exploits this process by creating problematic data packets to reassemble after fragmentation. The attacker may craft overlapping or incomplete fragments missing key information, which makes the reassembly process very resource-intensive or impossible.

Such faulty data packets create confusion and chaos. The system spends a lot of time and resources trying to piece together these packets, which slows down or crashes the system and increases the attack surface for further exploitation.

Why do IP fragmentation attacks happen?

The fragmentation process is so appealing to hackers for various reasons. They usually seek to:

• Interrupt data reassembly. Attackers disrupt system operations by interfering with the normal fragmentation process and slowing down the packet reassembly.
• Circumvent firewalls. Attackers use IP fragmentation to sneak malicious data through firewalls. Fragmented packets are less likely to trigger security alerts, allowing the malware to enter a network.
• Exploit wireless networks. Wireless networks are susceptible to IP fragmentation attacks due to their open-air transmission method. Attackers exploit these vulnerabilities to disrupt wireless communication or gain unauthorized access.
• Drain system resources. Forcing a network to deal with a flood of fragmented data requires significant processing power and memory. This can lead to a complete shutdown of services.

Types of IP fragmentation attacks

By knowing the different types of IP fragmentation attacks, you can recognize the signs and methods of a cyberattack and prepare your cybersecurity strategy accordingly. Keeping your systems secure is about making your defenses smarter, not just stronger.

• Tiny fragment attack. Every IP packet consists of a header (the information directing the packet to its destination) and a payload (a body of data). A tiny fragment attack occurs when a tiny packet fragment gets into the server. This happens when one of the fragments is so tiny that it can’t even fit its own header. Part of that packet’s header is sent as a new fragment. This can cause reassembly problems and shut down a server.
• Teardrop attack. A teardrop attack uses packets designed to be impossible to reassemble upon delivery. They can be incomplete or overlapping. It is usually directed towards defragmentation or security systems. Without proper protection, these packets can cause an operating system to freeze or crash as it cannot process them.
• Bonk attack. Bonk attacks happen when an attacker sets oversized fragments, causing the system to crash. Bonk usually targets older Windows versions.
• UDP and ICMP fragmentation attacks. In User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) fragmentation attacks, servers are flooded with oversized or otherwise corrupt packets that they must reject. This can quickly overload a server’s resources and prevent it from performing its intended operations.
• Fragrouter tool. The fragrouter tool bypasses intrusion detection systems (IDS) by fragmenting data packets, making it hard for IDS to detect malicious activity.

How to protect yourself from IP fragmentation attacks

You can minimize the risk of an IP fragmentation attack by employing a combination of these methods:

1. Inspect your network. Inspect incoming packets using a router, a secured proxy server, firewalls, or intrusion detection systems. Analyze IP traffic patterns for abnormalities.
2. Update your software. Ensure that your OS and security software, like firewalls and IPS, is up to date and has all the latest security patches installed.
3. Manage packet fragmentation. You can block fragmented IP packets by cutting your connection with anyone who sends them. However, some benign connections (e.g., mobile devices) use fragmented packets, so disabling them might cause disruptions in your traffic.
4. Implement IDS. Configure IDS to recognize the signs of an IP fragmentation attack and alert you about intrusion.
5. Use a reputable VPN. A VPN adds a layer of security by encrypting your online traffic. It will keep your online activities private and ensure data integrity in case of an IP fragmentation attack.

FAQ

What is packet switching?

Most devices send data in IP packets of a specific size. This is called packet switching. Connection-based packet switching delivers and receives data in a predetermined order and establishes a communication route beforehand.

Connectionless packet switching is when every data packet is self-sufficient and routed independently rather than in a pre-arranged path. These packets are called datagrams. Datagrams travel in random order. Because of this less-structured communication method, attackers can use it to launch attacks on servers.

What is fragmentation?

IP fragmentation is dividing a datagram into smaller chunks of information called packets. These need to be of a specific size so that the receiving parties can process them and transfer data successfully. You can think of this requirement as a work desk – there’s only so much stuff you can fit on it at once before things start falling off.

The receiving party then reassembles all these packets so they can understand the data they got. If the datagram is too big, a server can either drop it or re-fragment the packet.