IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets." Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.

Process

IP packets are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP packets and forces them to be split into pieces equal to or smaller than the MTU size. This can be accomplished by several approaches: Three fields in the IP header are used to implement fragmentation and reassembly. The "Identification", "Flags" and "Fragment Offset" fields. Flags: Fragment Offset specifies the fragment's position within the original packet, measured in 8-byte units. Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the packet can't have 8192 * 8 = 65,536 bytes of data because "Total Length" field of IP header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment. Because an IP internet can be connectionless, fragments from one packet may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular packet. The source system sets "Identification" field in each packet to a unique value for all packets which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the packet on the internet. This way the destination can distinguish which incoming fragments belong to a unique packet and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received. The following is a real-life fragmentation example: The following was obtained using the Ethereal protocol analyzer to capture ICMP echo request packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000. The results are as follows: Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header. Two important points here:

Exploits

Fragmentation for evasion

Network infrastructure equipment such as routers, load-balancers, firewalls and IDS have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in "full" proxy mode are generally not susceptible to this subterfuge.