IP fragmentation attacks – how do they work?

02/14/2018        Tech-Blog
IP fragmentation attacks – how do they work?
© Istockphoto.com, Bild-ID 520970670

To understand IP fragmentation attacks, it is important to understand IP fragmentation first. IP communication is used to exchange data packets on the internet. Between their source and their target, the packets often have to be passed along by various connection technologies and systems.

The great number of technologies involved leads to limitations that make it necessary to fragment IP packets. This is because different data transfer systems have different MTUs (maximum transfer units). The MTU indicates the maximum IP packet length or size for a given network type or data transfer system. The network sets an upper limit for the MTU, but it may be smaller. The smaller it is, the more the data payload is fragmented during transfer. In this context, another term related to MTU is often mentioned: MSS (maximum segment size). The concepts are related but should not be confused. MTU is the maximum volume of the entire data packet, while MSS indicates the volume of the data payload within the packet.

Different MTU sizes of various network types in bytes

Network type
MTU
Ethernet1500
Token ring, 4 Mbps4464
Token ring, 16 Mbps17914
IEEE 802.31492
X.25576
FDDI4352


IP fragmentation divides the packets or datagrams in such a way that they can be transmitted by a certain network type. The task of reassembling them is left to the target. The following IP header fields are important for this:

  • Source IP
  • Destination IP
  • Identification
  • Total length
  • Fragment offset
  • Flags

Example of a fragmented IP datagram

SequenceIdentifierTotal lenghtDF may/don't MF last/moreFragment offset
05675180000

Original datagram

IP fragments

SequenceIdentifierTotal lenghtDF may/don't MF last/moreFragment offset
0:05671500010
0:1567150001185
0:2567150001370
0:356774000555

How can this be used for attacks?

IP fragmentation can be abused in various ways by attackers. It can be employed to attack the IP communication’s target system but also security components along the way towards the target system.

Reassembly (defragmentation) can only take place when all fragments are in. UDP/ICMP-based fragmentation attacks usually submit fake fragments that cannot be defragmented. Temporary storage of the fragments takes up memory and, in the worst-case scenario, may exhaust the available memory resources. An attack like this may use packets of the following type:

SequenceIdentifierTotal lengthDF may/don'tMF last/moreFragment offset
0:01001500010
1:02001500010
2:03001500010
3:04001500010
4:05001500010
...
n:0x1500010

Each fragment is the first fragment of a datagram and announces more fragments. As a result, the processing hosts and layer-7 security components reserve resources for all “n” communcations:

A TCP-based fragmentation attack (also known as teardrop), however, is usually directed against the defragmentation mechanisms of the target systems or security components. Overlapping packets are sent that, in extreme cases, may lead to the target system freezing up, depending on the operating system.

Current articles

Stay updated on current DDoS reports, warnings, and news about IT security, cybercrime and DDoS protection.

Stay up to date!

Subscribe to the Link11 blog about the company, it security, and cybercrime.

Categories

Upcoming Events

@Link11GmbH