What Is IP Fragmentation? | IP Fragmentation Attacks
Explore how IP fragmentation works, why it exists, and how attackers can abuse it in fragmentation-based attacks.
IP Fragmentation Basics
IP fragmentation occurs when a packet is too large to traverse a link with a smaller maximum transmission unit (MTU). The sending host or an intermediate router splits the packet into smaller fragments, each with its own header, so they can pass through and be reassembled at the destination.
Fragmentation allows heterogeneous networks with different MTUs to interoperate, but it also adds overhead and complexity to packet processing.
Path MTU Discovery and Modern Practice
To minimize fragmentation, many systems use Path MTU Discovery (PMTUD) to learn the smallest MTU along a path and adjust packet sizes accordingly. In IPv6, routers do not fragment packets; fragmentation is handled only by the source, which further encourages careful sizing.
Properly tuned MTUs and PMTUD reduce the frequency of fragmentation, leading to better performance and fewer opportunities for misuse.
Fragmentation Attacks and Defenses
Attackers can craft malicious fragments that overlap, contradict, or stress reassembly buffers in an attempt to evade intrusion detection systems or trigger bugs in network stacks. Classic examples include teardrop and other fragmentation-based denial-of-service attacks.
Defenses include normalizing traffic at firewalls or intrusion prevention systems, limiting the number of fragments allowed, dropping suspicious fragment patterns, and keeping system software updated to patch known reassembly vulnerabilities.