What is an IP Fragmentation Attack? Types & Prevention
Arsalan Rathore
Have you ever had trouble accessing a website? Amongst a few possible causes, one reason could be a cyberattack. Hackers are known to have an arsenal of tools to intercept and disrupt communication, and one particular way is by interfering with how an IP transfers information to the end user.
IP Fragmentation Attacks aren’t anything new. Internet Service Providers and webmasters alike have been coming up with ways to prevent it, but many hackers still resort to such means to interfere with a safe browsing experience.
In order to understand what an IP Fragmentation Attack is and how it happens, we have to understand a few different concepts. Read on to learn how to protect yourself from becoming a victim of cybercrime.
Table of Contents
What is packet switching?
Since data is sent in IP packets, and such packets are of a specific size. Patching switching can occur on connection-based means and connectionless platforms alike.
A connection-based packet switching means that data is delivered and received in a specific order, which allows for a pathway for communication to be established prior to any transfer of data.
Connectionless packet switching, on the other hand, is when every packet is delivered independently instead of in a particular order. Consider it like sending items randomly, instead of in a queue.
These out-of-queue packets are called datagrams and can travel in all sorts of undetermined, random orders. Since this form is much less structured than that of a connection-based method, datagrams can be used to attack or target servers.
What is fragmentation?
Diving a datagram into smaller pieces of information packets is IP fragmentation. In order for a successful transfer and procession, these are usually of a very specific size. Before the receiver can look into the data they received, they must re-assemble the packets into order so that the information makes sense. If a datagram is too big to properly process or arrange, the user can re-fragment the packet for their own convenience.
What is an IP fragmentation attack?
An IP fragmentation attack is a Denial of Service (DoS) attack that uses IP fragmentation to disrupt how the datagrams are being fragmented. This is to distrupt the running of web services, disable websites, or overload the network to make it inaccessible to users and visitors alike.
The end goal is to stop a server from functioning how it is meant to and to stop traffic from ever reaching the website. There are many different forms of such attacks, but they most typically involve disrupting the flow of datagrams and rearranging them to make them near impossible to reassemble for actual use.
8 Types of an IP Fragmentation Attack
The general basis of all IP fragmentation attacks is to deactivate, block, and disrupt the working of servers and services. They are able to do this by changing, corrupting, adding, or re-arranging datagrams to inhibit the proper reconstruction, which means that the user, upon reception, will not be able to assemble the datagrams.
1. Tiny fragment attack:
Each IP packet has a payload and a header- the payload carries data towards the header, and the header directs the packet towards the destination. Much like the name, this attack consists of a tiny packet fragment entering the server. Since it is so small, it causes problems in reassembly as it does not fit in with the rest of the headers, which can cause server unavailability.
2. UDP and ICMP fragmentation attacks:
Here, fraudulent or corrupted UDP or ICMP packets are transferred which are larger than the MCU of the network. These packets are fake and cause troubles in reassembly, which causes networks and servers to become unavailable or shut down.
3. TCP fragmentation attacks (Teardrop attacks):
These attacks are focused on the reassembly process of TCP/IP by preventing them from reassembling the received fragmented data packets. Since the IP packets end up overlapping, the servers become overloaded and end up failing. These types of attacks are known as Teardrop attacks and were popular in the Windows OS series.
4. Bonk Attack
This attack involves sending malformed IP packets to a target system, exploiting flaws in operating systems handling fragmented packets. By sending these malformed packets, attackers can cause the target system to crash or freeze, disrupting its normal operations.
5. Fragrouter Tool
Fragrouter is not an attack but a tool attackers utilize to manipulate IP packet fragmentation. It enables the modification and manipulation of packets, allowing cybercriminals to evade security measures or bypass detection by altering packet characteristics.
6. Time-to-Live (TTL) Manipulation
In TTL Manipulation attacks, threat actors modify the Time-to-Live field in IP packet headers. By altering these values, attackers aim to control the lifespan of packets within a network, attempting to bypass security measures or disrupt network operations.
7. Nestea Attack
Like the Teardrop attack, Nestea sends overlapping or malformed IP fragments to the target system. This exploit takes advantage of vulnerabilities in the system’s reassembly process, causing it to crash or become unresponsive when reconstructing the fragmented packets.
8. SMS of Death
This attack targets mobile devices by sending specially crafted SMS messages. When received, these messages can trigger vulnerabilities within the device’s operating system, leading to crashes or unexpected reboots, disrupting the standard functionality of the targeted mobile device.
How does an IP fragmentation attack work?
The basics are that it involves sending datagrams with the goal of interrupting reassembly. This can be achieved by sending datagrams that are too small, too large, or that are focused on overlapping with pre-existing datagrams to overwhelm the server. An IP fragmentation attack uses IP fragments to disable services, servers, and even devices upon the reception of data packets.
The fraudulent packets are delivered to the victim, and when the victim sets out to reassemble the packets, their system, server, or device becomes overloaded past the size limit and ends up shutting down.
How to protect yourself from IP fragmentation attacks
You can lower the possibility of becoming a cyber victim of such attacks by using one or more of these methods:
- Scan the incoming traffic of packets through a proxy server, firewalls, a detection system, or even a specially configured router
- Keep all of your devices and software up to date, especially security patches and operating software updates,
- Disable connectivity to any device or person that sends fragmented packets. Practise discretion with this as some connections (e.g. cellular networks) can send harmless, benign fragment packets that are essential to their traffic.
It’s best to use a few different approaches at the same time. Our recommendation is to defend your network connection first by using a VPN service provider like AstrillVPN. AstrillVPN has military-grade encryption that keeps your data private and secure, offering unparalleled protection and connectivity. \
Fragmentation Attack Methodology
Tiny Fragments
Tiny fragments are used in fragmentation attacks where attackers send extremely small IP fragments to exploit vulnerabilities in the reassembly process. By crafting these tiny fragments, threat actors aim to bypass security measures or confuse systems during packet reassembly.
Such fragments might be smaller than the minimum size allowed by the protocol standards, leading to ambiguities in how the system handles them. This can result in system crashes, data corruption, or exploitation of weaknesses in packet handling mechanisms.
Overlapping Fragments
Overlapping fragments involve sending IP fragments that intentionally overlap with each other when reassembled by the target system. Attackers manipulate the offset values in the packet headers, causing the receiving system to face difficulties in correctly reassembling the fragmented packets.
This technique exploits vulnerabilities in the reassembly process, potentially leading to system crashes, data corruption, or triggering security flaws.
Invalid Flag Combinations
Fragmentation attacks may involve crafting IP packets with invalid header flag combinations. Attackers manipulate the control flags (such as the More Fragments (MF) flag and the Don’t Fragment (DF) flag) in ways that do not adhere to standard protocol specifications.
Attackers aim to confuse or overload the target system’s packet processing mechanisms by sending packets with contradictory or unexpected flag settings, potentially leading to service disruptions or system instability.
Path MTU Discovery
Path Maximum Transmission Unit (PMTU) Discovery involves manipulating the packet size to exploit vulnerabilities in how networks handle packet fragmentation. Attackers deliberately send packets larger than the maximum supported size along a network path.
This forces routers to fragment the packets, potentially causing performance degradation, packet loss, or denial of service by overwhelming network resources.
Offset Obfuscation
Offset obfuscation is used to manipulate the offset values in IP packet headers. Attackers intentionally modify these values to obscure the target system’s proper reassembly of fragmented packets. This manipulation disrupts the reassembly process, potentially causing system crashes, data corruption, or exploitation of vulnerabilities in packet handling mechanisms.
Payload Obfuscation
This technique aims to hide malicious payloads within fragmented packets, making it challenging for security systems to effectively detect and mitigate the threats.
Payload obfuscation involves manipulating the content of packet payloads to evade detection or exploit vulnerabilities in systems. Attackers might encrypt, encode, or modify the payload contents to bypass security measures or confuse systems during reassembly.
How to Detect Fragmentation Attacks
The following are the various methods used to detect fragmentation attacks:
1. Stateful Inspection
Stateful inspection is a firewall technology that monitors the state of active connections and inspects the context of packets passing through a network. Stateful inspection involves examining packet headers and tracking the state of fragmented packets and their associated fragments to detect fragmentation attacks.
By maintaining information about packet sequences and their expected fragments, firewalls can flag anomalies or inconsistencies in packet sequences, aiding in detecting potential fragmentation attacks.
2. Size Thresholds
Implementing size thresholds involves limiting the size of incoming fragmented packets that a system or network can handle. By defining acceptable size ranges for packets, administrators can detect anomalies when packets exceed these predetermined thresholds.
This method helps identify excessively large or unusually small fragmented packets that might indicate a fragmentation attack, triggering alarms or blocking such packets from entering the network.
3. Overlapping Offset Detection
Overlapping offset detection involves scrutinizing the offset values in fragmented packet headers to identify any overlaps or inconsistencies between packet fragments. Properly assembled fragments should align sequentially without overlaps.
Network monitoring systems can analyze the offset values within fragmented packets, flagging irregularities or overlaps that might indicate a potential attack exploiting vulnerabilities in packet reassembly.
4. Internet Control Message Protocol (ICMP) Blackhole
ICMP blackhole detection involves monitoring ICMP traffic for indications of blackhole routes. During a fragmentation attack, attackers might manipulate ICMP messages or responses, attempting to create black hole routes that discard legitimate packets.
Detection mechanisms can analyze ICMP traffic patterns and identify abnormalities, such as unexpected or excessive ICMP messages, aiding in identifying potential black hole routes caused by a fragmentation attack.
5. Packet Reassembly and Inspection
Packet reassembly and inspection involve reconstructing fragmented packets and analyzing their content for anomalies or malicious patterns. Network devices capable of reassembling fragmented packets can inspect the reassembled data for irregularities, such as unexpected packet content or corrupted payloads.
6.Anomaly Detection
Anomaly detection involves employing machine learning or heuristic-based algorithms to establish baseline behaviors within a network. This approach helps in recognizing deviations from standard traffic patterns or expected behaviors.
Detection systems analyze packet characteristics, such as packet size, fragmentation patterns, and header information, to identify anomalous activities that might indicate a fragmentation attack.
How common is IP fragmentation?
IP fragmentation has been around for many years, and it is still considerably widespread. IP packets are globally broken into multiple packets for easy transferring of data and convenience of use. These packets are sent through various network layers and are then reassembled on a near daily basis, even as a part of routine, ordinary transfers.
Because of this, it’s important to put your security first by making sure that you are aware and keeping yourself safe from any cyberattacks.
Conclusion
IIP fragmentation is the basis of how IP protocol works; it is essential and necessary to understand the pros and cons of the IP protocols you are using. However, hackers have found multiple ways to intercept connections and exploit the mechanism for nefarious attacks and schemes. Always practice caution and invest in a good protection system, like AstrillVPN, to prevent such attacks from reaching your connection.
No comments were posted yet