IP Fragmentation Attack: Understanding the Threat and How to Prevent It

What is an IP Fragmentation Attack?

To explain what an IP fragmentation attack is, it's important to understand how the fragmentation process works. When data is sent over the internet, it's divided into packets or datagrams. The Internet Protocol (IP) outlines how data is transmitted over the internet, and every packet has a Maximum Transmission Unit (MTU) size.

When packets exceed the MTU size, routers and host systems break down these packets for easier transmission, and this process is called fragmentation. The fragments contain a portion of the original data and header information which includes identification number, an offset value, and flags to locate the fragment within the original packet.

But when it’s time to reassemble the fragments, well, that’s exactly when an IP fragmentation attack can happen. Hackers imitate the fragmentation process by breaking up malicious data into small fragments to trick the reassembly process and sneak past security filters, making it harder for systems to detect and stop the threat.

How Does IP Fragmentation Work?

Cybercriminals exploit the fragmentation process by crafting corrupt packets or manipulating existing ones. This disturbs the reassembly process when packets are received by other systems. Here’s a rundown of the process:

1. Creating malicious fragments – The hacker creates packets designed to evade detection by security systems.
2. Sending fragments – The small, seemingly harmless pieces of data flow across the network and slip past firewalls and security filters.
3. Bypassing security – The attacker can then evade detection by spreading malicious payload across multiple fragments.
4. Reassembly at target – If the reassembly process fails or is tricked, it causes problems like system crashes, data corruption, or unauthorized access.
5. Exploiting vulnerabilities – Once reassembled, the malicious payload can exploit vulnerabilities in the target system, resulting in a breach, service disruption, or denial-of-service attacks.

In short, an IP fragmentation attack exploits the fragmentation process to sneak harmful data past security defenses.

Types of IP Fragmentation Attacks

There are different types of IP fragmentation attacks, and each one targets a specific vulnerability in the IP fragmentation process. Here are some of the most common attack types:

Teardrop Attack

When an attacker uses teardrop attacks, they send overlapping fragments designed with the single purpose of being impossible to reassemble. Because these packets are incomplete or overlapped, the target operating system (OS) can freeze or crash during packet reassembly. The most susceptible OS are earlier versions on Windows and Linux.

Bonk Attack

This type of IP fragmentation attack is a type of denial-of-service (DoS) attack when a hacker sends oversized fragments to a target system like Windows 95 and Windows 98. When the system tries to allocate memory for these large fragments, it can end up crashing or becoming unresponsive.

Tiny Fragment Attack

The tiny fragment attack sends tiny fragments smaller than the minimum size required to fit a packet header. These smaller fragments can cause reassembly problems and shut down the target. This way, the hacker hides the malicious payload in tiny fragments to bypass security measures.

Time-to-Live (TTL) Manipulation

TTL, or Time-to-Live, is like a countdown for an IP packet that tells it how many stops (or hops) it can make in a network before it gets dropped. This prevents it from getting stuck and endlessly circling around.

In this fragmentation attack, the attacker modifies the TTL field in the IP packet headers to control the packet's lifespan, bypassing security measures or disrupting network operations.

Nestea Attack

The Nestea attack sends malformed or overlapping IP fragments to target systems, specifically older versions of Linux kernels. Similar to the Teardrop attack, when the fragmented packets are reconstructed using this exploit, the system crashes or becomes unresponsive due to vulnerabilities in the reassembly process.

SMS of Death

This IP fragmentation attack is another denial of service (DoS) attack that targets older mobile devices by sending specially crafted SMS messages. Corrupt messages can trigger weaknesses in the device's operating system, leading to crashes or unexpected reboots. Failing to filter malicious texts can cause targeted mobile devices to become unusable.

UDP and ICMP Fragmentation Attacks

In User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) fragmentation attacks, older versions of Windows and Linux servers are flooded with oversized or otherwise corrupt packets. This can quickly overload a server's resources, resulting in massive performance and service issues.

Tools like Fragrouter

The Fragrouter attack uses a tool called Fragrouter to manipulate fragmented packets to bypass network security devices like firewalls and intrusion detection systems (IDS).

Hackers take advantage of how security devices handle cleverly designed fragmented packets. As a result, this attack lets harmful traffic sneak through unnoticed, leading to unauthorized access, or worse – data breaches.

Why Do IP Fragmentation Attacks Occur?

Hackers use IP fragmentation attacks for a variety of reasons. However, they are all motivated by these key goals:

• Circumventing firewalls – Fragmented packets have a lower chance of triggering security systems, that’s why hackers can bypass firewalls and slip malicious payloads.
• Interrupting data reassembly – Hackers disrupt normal system operations by attacking the fragmentation reassembling process.
• Draining system resources – Handling and reassembling fragmented packets can quickly overwhelm network devices and servers, which inevitably affects performance.
• Exploiting wireless networks – Since wireless networks are especially weak against IP fragmentation attacks because of their open-air transmission, hackers attack these networks to gain unauthorized access.

The ultimate goal of IP fragmentation attacks is to infiltrate your systems, disrupt services, and cause damage, while avoiding detection.

Real-World Examples and Case Studies

IP fragmentation attacks have been a pain for cybersecurity for decades, gaining notoriety in 1997, when hackers used the Teardrop effect to crash operating systems, including Windows NT and Linux.

Later, in 2004, the infamous Sasser worm was set loose by an 18-year old teenager from Germany. The virus attacked the vulnerability in Microsoft Windows' Local Security Authority Subsystem Service (LSASS). The virus used IP fragmentation to evade detection by firewalls and intrusion detection systems.

The result? The U.S. flight company Delta Air Lines had to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. And that’s just one example of many.

More recently, in 2018, Mathy Vanhoef, a well-known security researcher discovered what’s now known as FragAttacks (fragmentation and aggregation attacks), after it was found that the Wi-Fi chips, used by Apple, Google, and Samsung, had severe vulnerabilities.

Using FragAttacks, attackers could inject malicious code into devices by exploiting flaws in the fragmentation and reassembly process of Wi-Fi protocols.​​ Since discovery, these companies have pushed out multiple updates and patches to protect devices.

How to Protect Against IP Fragmentation Attacks?

While it sure sounds scary and almost impressive what hackers can achieve with IP fragmentation attacks, there are different things you can do to help prevent your devices from being targeted by cybercriminals.

Software Updates and Patches

This may sound a little tedious, especially if you own a Windows device, but regularly updating your operating systems, firmware, and security software with the latest patches and security updates is crucial. Major companies like Microsoft, Apple and others have entire cybersecurity teams working on catching threats, so if there’s a new update – make sure to run it.

Network Inspection and Monitoring

If you’re a tech-savvy person, or working in IT, network monitoring and inspection tools like Wireshark, Nagios, Splunk, or Zabbix can be a huge help in detecting IP fragmentation attacks. These tools can analyze incoming packets, identify anomalies, and block or rate-limit fragmented packets based on predefined rules.

Managing Packet Fragmentation

Another useful method, although a bit more technical, is to manually configure your systems networks to control the fragmented packets. Managing packet fragmentation manually or limiting the maximum reassembled packet size will allow you to block fragmented packets from suspicious and potentially harmful sources.

Implementing Intrusion Detection Systems (IDS)

IDS is a security tool that monitors network traffic or system activities for signs of malicious behavior or policy violations. With tools like Sagan, Prelude, Snort or Suricata, you can significantly enhance your device protection. These programs monitor network traffic, identify suspicious patterns, and alert you to potential intrusions or attacks.

Using Virtual Private Networks (VPNs)

VPNs like CometVPN can add an extra layer of security to your online activities. VPNs encrypt your internet traffic, ensuring data integrity and privacy. In contrast with IDS that focus on detecting and alerting active threats, a VPN secures and encrypts data transmission to protect privacy and enhance online security, essentially masking your IP addresses and routing traffic through secure servers.

Wrapping up

Cybersecurity is fast becoming a household security measure as we increase the number of devices we use in our daily life. That’s why it’s important to understand the main risks, learn to recognize the telltale signs, and know what to do once a threat is identified. But more importantly, preventative measures should take precedence over anything else if we want to stay safe online.