WP What is an IP Fragmentation Attack (Teardrop ICMP/UDP) | Imperva

IP Fragmentation Attack

129.7k views
DDoS

What is IP Fragmentation Attack?

IP fragmentation attacks is a type of cyber attack that exploits how IP packets are fragmented and reassembled to evade security controls and launch attacks.

Attackers manipulate fragmented packet parameters like offsets and sizes to trigger vulnerabilities or bypass firewall rules.

Example of how an IP datagram is fragmented and reassembled
Example of how an IP datagram is fragmented and reassembled

How IP Fragmentation Works

IP fragmentation occurs when an IP packet exceeds the Maximum Transmission Unit (MTU) size for a network path. Routers must split the large packet into smaller fragments to be transmitted.

The router divides the IP packet into fragments starting with offset 0. A header is added to each fragment containing:

  • Identification – Unique ID matching all fragments
  • Flags – Indicates first, middle, or last fragment
  • Offset – The fragment position within the original packet

The destination host reassembles the fragments using the identification and offset fields. Fragments arrive out-of-order, so buffering allows reordering before reassembly.

IP Fragmentation Attacks

Attackers abuse IP fragmentation to evade security controls and exploit vulnerable systems:

  • Disrupt reassembly – Sends malformed fragments that cause errors or crashes during the reassembly process, resulting in denial-of-service.
  • Bypass firewalls – Firewall rules are avoided by sending attacks in fragmented packets that are not inspected.
  • Target wireless networks – Fragmentation exacerbates security risks in wireless networks by interfering with integrity mechanisms and exposing data.
  • Overload resources – Large volumes of fragments can overwhelm network capacity and server resources.
  • Takedown websites – Fragmented attacks make web servers unavailable by consuming excessive resources or triggering crashes.
  • Evade detection – Malware and exploits are obfuscated by splitting across random fragment offsets to avoid signature detection.
  • Achieve denial-of-service (DoS) – Most fragmentation attacks aim to disrupt the availability of networks, systems, and services through different attack vectors.

Types of Fragmentation Attacks

There are several specialized forms of fragmentation attacks, including:

Teardrop Attack

Sends offset and size fields designed to overwrite the header during reassembly. This has the ability to crash many older systems.

Bonk Attack

Uses a large fragment designed to crash systems attempting to allocate huge buffers during reassembly.

Fragrouter Tool

Performs automated attacks by generating malicious traffic patterns and packet values.

Jolt2 Attack

Sends invalid fragmentation flags triggering crashes in some Windows TCP/IP implementations.

Time-to-Live (TTL) Manipulation

Changes the IP TTL across fragments to interfere with TTL tracking during reassembly.

Nestea Attack

Sets invalid high fragment offsets combined with very small fragment sizes to crash Linux systems.

SMS of Death

Sends specially crafted ping packets that get fragmented, aiming to disable iPhone devices.

Other generalized forms, like fragment injection, tiny fragments, overlapping fragments, etc., can crash or exploit different operating systems and devices.

IP Fragmentation Attacks

Attackers abuse IP fragmentation to evade security controls and exploit vulnerable systems:

Bypassing Firewalls

Many firewalls and IPS devices do not inspect fragmented packets, allowing attacks to pass through:

  • RULE 1: Allow Port 80
  • RULE 2: Block Malicious IP

A fragmented attack packet from the malicious IP with a Port 80 fragment would be allowed since fragments are not reassembled.

Targeting Fragment Reassembly

Attackers send malicious payloads hidden across fragmentation boundaries or fragments that overlap/overwrite key protocol fields during reassembly.

For example, a NOP sled can be split across multiple fragments to evade static signature detection.

Evading Rate Limiting

Size and offset manipulation allows artificially inflating packet sizes to bypass rate limits.

A 100-byte packet can become a 10,000-byte reassembled packet, overwhelming rate limiting quotas.

Triggering Implementation Bugs

Fragmentation edge cases often contain vulnerabilities that get triggered through maliciously crafted fragments.

Past issues include Windows kernel panics, Cisco router crashes, and Linux kernel panics due to fragments.

Fragmentation Attack Methodology

Common techniques used in fragmentation attacks include:

Tiny Fragments

Tiny 1-8 byte fragments are sent that are smaller than the header size. These can trigger implementation errors during reassembly.

Overlapping Fragments

Fragments with overlapping offsets are sent to overwrite parts of the packet during reassembly.

Invalid Flag Combinations

Setting invalid flags like multiple “first fragments” can expose flawed logic.

Path MTU Discovery

Probing different MTU sizes determines the optimum fragment sizes for an attack.

Offset Obfuscation

NOP sleds are split across random fragment offsets to avoid signature detection.

Payload Obfuscation

Malicious code is sent across multiple reordered fragments with junk fragments interleaved to avoid scans.

Detecting Fragmentation Attacks

Defending against fragmentation attacks involves:

Stateful Inspection

Maintaining fragment state and validating fragment sequences helps prevent attacks.

Size Thresholds

Blocking excessively small fragments protects against tiny fragment attacks.

Overlapping Offset Detection

Blocks if fragments contain overlapping offsets.

Internet Control Message Protocol (ICMP) Blackhole

Rate limit or block ICMP “fragmentation needed” messages used in PMUD attacks.

Packet Reassembly and Inspection

Reassembling and inspecting packets allows for the identification of hidden attacks. But resource-intensive.

Anomaly Detection

Analyze fragmented traffic patterns and block sudden spikes that may indicate attacks.

Hardening Against Fragmentation Attacks

Here are measures to harden systems from fragmentation attacks:

  • Disable IP fragmentation on host systems unless absolutely required. Drop fragments using firewall rules.
  • Enable attack mitigations in operating systems like Windows IPEV2, Linux RPFilter, and BSD IPFW.
  • Keep firewalls, IPS, and host OS/kernel patches up-to-date.
  • Block or rate limit tiny fragments, overlapping offsets, and abnormal combinations where possible.
  • For public-facing systems, consider blocking fragmented packets altogether.
  • For internal systems, allow fragmentation only for specified packet sizes and MAC addresses.
  • Use IPS systems capable of fragment reassembly and stateful inspection. Limit assembled packet sizes.
  • Monitor and analyze IP traffic patterns for abnormal fragmentation. Tune allowed parameters.

Fragmentation in IPv6

IPv6 networks have built-in security enhancements that protect against fragmentation attacks:

No Fragmentation by Routers

IPv6 routers do not fragment packets. Endpoints must determine MTU and set fragmentation.

Fragment Header Deprecated

The IPv6 fragment header is being removed from core IPv6 due to exploitation risks.

ICMPv6 Packet Too Big

Intermediate routers send this message back if packets exceed MTU. Hosts adjust size.

Together, these make fragmentation attacks much harder on IPv6 networks.

See how Imperva DDoS Protection can help you with IP fragmentation attacks.

Conclusion

IP fragmentation is necessary to transmit large packets but also enables malicious attacks. Blocking fragments can break applications while allowing fragments to open risks. A balanced approach using safe default configuration, patching, inspection, and monitoring allows securely supporting IP fragments. As IPv6 adoption increases, built-in protections will help reduce fragmentation-based threats.