What is an IP Fragmentation DDoS Attack?

Introduction

Have you ever bought a piece of furniture that required “easy assembly” at home, only to discover when you unpack the boxes that a couple of bolts were missing? Or, even more challenging, the holes at a crucial corner don’t line up so there’s no way that wooden dowel is going to fit and hold those two pieces together? You can waste a ton of time and energy trying to figure out if there’s a way to make it work before giving up and calling for help.

That’s a lot like what happens in an IP fragmentation DDoS attack, only it’s servers that become overwhelmed and eventually crash trying to assemble IP fragments that don’t fit together as they should.

In this blog, we’ll dig into IP fragmentation and how DDoS attacks against it work. We’ll also explore variations in this type of attack and offer guidance on how to detect and protect your organization against these threats.

How IP Fragmentation DDoS Attacks Work

Developed years ago, as part of the OSI model, IP fragmentation is an effective method to streamline network communication. The idea is to break down IP packets into smaller fragments that are easier to transmit. When they reach their destination, they are reassembled.

IP fragmentation DDoS attacks exploit that reassembly process by sending fragments that may be overlapping, missing key information, or oversized, which makes them impossible to reassemble. The goal of these attacks is to slow down network performance and eventually completely disrupt services by consuming server resources and processing power as systems try to piece together fragments to no avail.

Let’s dig a little deeper to understand how the fragmentation and reassembly process is supposed to work and how it can be disrupted.

Understanding IP Fragmentation

IP fragmentation occurs at Layer 3 of the OSI model, which decides which physical path the data will take. When IP packets exceed the Maximum Transmission Unit (MTU) size for a network path, routers split the large packets into smaller fragments.

Each fragment includes a header with the instructions for reassembly. The header includes the following information:

• Identification – A unique ID that identifies all the fragments the comprise the packet
• Flags – Indicating the first, middle, or last fragment
• Offset – The fragment position within the original packet

Fragments arrive out of order so this information is necessary to ensure the system that receives the fragments can reassemble them quickly and easily.

Exploitation of Fragmentation in DDoS Attacks

In an IP fragmentation attack, the threat actor takes advantage of the reassembly process that the target’s devices must perform to reconstruct the original packet. By overwhelming the devices with an excessive number of fragmented packets, or with incorrect instructions, the attacker thwarts packet reassembly and consumes processing power and resources.

Differentiating Between Fragmentation Attacks: Teardrop and ICMP/UDP

There are a few different types of fragmentation attacks.

Teardrop fragmentation attack: This type of attack abuses the instructions intended to help with reassembly and sends incomplete or overlapping packets. The targeted system is unable to process and reassemble the incoming packets and freezes or crashes.

ICMP fragmentation and UDP fragmentation attacks: These types of attacks send oversized fragmented ICMP or UDP packets (1500+ bytes) to consume more bandwidth with fewer packets. The bogus packets can’t be reassembled so the targeted system consumes significant resources trying and performance suffers.

Detecting and Mitigating IP Fragmentation DDoS Attacks

IP fragmentation attacks are difficult to detect and mitigate because they evade security controls in a few different ways.

• Many firewalls and IPS devices are configured to not inspect fragmented packets, allowing them to pass through.
• Threat actors can split malicious payloads across multiple fragments to hide them from static signature detection.
• These attacks also take advantage of vulnerabilities in older systems.

However, there are some best practices and technologies security teams can use to mitigate IP fragmentation attacks, including:

Implement packet inspection. Inspect incoming packets using a router or security proxy server to analyze traffic for anomalous activity. As part of your configuration management process, configure your IDS/IPS and firewalls to recognize IP fragmentation attacks and block or alert you to them.

Update your software. Legacy operating systems and unpatched security software can put your organization at risk of attacks. Make sure your Windows and Linux operating systems and security software for firewalls and IPS are up to date and patches are installed promptly.

Consider blocking fragmented packets. Blocking fragmented packets can stop some of these kinds of attacks. But this approach can also block legitimate services like VPNs, VoIP, and some web traffic that rely on fragmentation.

Use a VPN. A VPN encrypts your traffic which mitigates the impact of an attack, but it doesn’t prevent IP fragmentation attacks. In the event of an IP fragmentation attack your service will still be disrupted, but at least your data and activities will remain private.

Use a DDoS protection solution. The most reliable way to prevent an IP fragmentation DDoS attack is with a purpose-built DDoS protection solution. When coupled with real-time threat intelligence it can protect against the gamut of DDoS attacks and help you stay ahead of emerging threats. Advanced solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on malicious activity including data leakage, ransomware attacks, and other threats to your operations.

Conclusion

IP fragmentation attacks are akin to the furniture assembly nightmare many of us have experienced, only the intent is malicious, and the consequence is disruption of service. In this type of attack, attackers exploit the IP packet reassembly process so that the fragments don’t fit together. Server resources become consumed trying to execute an operation that is impossible.

IP fragmentation attacks are difficult to detect and mitigate because they evade security controls. There are best practices and technologies to help mitigate IP fragmentation DDoS attacks, including implementing packet inspection, updating software, blocking fragmented packets, and using a VPN. However, they often come at a cost in terms of administration and management overhead, blocking legitimate traffic, or only limiting the damage of an attack and not preventing one.

This is why the most effective approach to detect and prevent these types of attacks is to implement a purpose-built advanced DDoS protection solution. DDoS protection coupled with intelligence to stay ahead of emerging and evolving threats, provides uninterrupted service availability even in the midst of a DDoS attack. Comprehensive DDoS protection can also defend against follow-on attacks that can harm your business. Visit our threat intelligence research center for more information on DDoS defense in depth.