What is an IP/ICMP Fragmentation Attack?

An Internet Protocol (IP)/Internet Control Message Protocol (ICMP) fragmentation attack is a common form of volumetric denial of service (DoS) attack. In such an attack, datagram fragmentation mechanisms are used to overwhelm the network.

IP fragmentation occurs when IP datagrams are broken apart into small packets, then transmitted across a network, and finally reassembled into the original datagram as part of normal communications. This process is necessary to meet size limits that each network can handle. Such a limit is described as a maximum transmission unit (MTU).

When a packet is too large, it must be sliced into smaller fragments in order to be transmitted successfully. This leads to several packets being sent, one which contains all the info about the packet, including the source/destination ports, length, etc. This is the initial fragment.  

The remaining fragments are “naked” in the sense that they simply consist of an IP header plus a data payload. These fragments contain no information on protocol, size or ports.

The attacker can employ IP fragmentation to target communications systems, as well as security components. ICMP-based fragmentation attacks typically submit fake fragments that cannot be defragmented. This in turn causes the fragments to be placed in temporary storage, taking up memory and in some cases exhausting all available memory resources.

What Are the Signs of an IP/ICMP Fragmentation Attack?

IP/ICMP fragmentation attacks bombard the destination with fragmented packets, causing it to use memory to reassemble all those fragments and overwhelm a targeted network. Such attacks manifest themselves several in different ways:

  • UDP flooding – In this type of attack, attackers use botnets to send large volumes of fragments from numerous sources. In many cases, the receiver will not see the initial fragment (those often get lost in the avalanche of incoming packets); it just sees lots of packets with no protocol header (non-initial) fragments. Those non-initial fragments are tricky because they might belong to a legitimate session, but will in most cases be junk traffic. The receiver has no clue what is legitimate and what is not, because the initial fragment has been lost.
     
  • UDP and ICMP fragmentation attacks – In this type of attack, fake UDP or ICMP packets are transmitted. These packets are designed to look like they are larger than the network’s MTU, but only parts of the packets are actually sent. Since the packets are fake and can’t be reassembled, the server’s resources are quickly consumed, which ultimately renders it unavailable to legitimate traffic.
     
  • TCP fragmentation attacks – This type of attack, also known as a Teardrop attack, targets TCP/IP reassembly mechanisms. In such a case, fragmented packets are prevented from being reassembled. The result is that data packets overlap and the targeted server becomes completely overwhelmed and ultimately fails.

Why Are IP/ICMP Fragmentation Attacks Dangerous?

IP/ICMP fragmentation attacks, like many other DDoS attacks, will overwhelm the destination resources due to the massive traffic volumes. However, this attack will also force the destination to use resources to attempt to reassemble the packets which will often result in network devices and servers crashing. Lastly, as the non-initial fragments do not contain any information about which service they belong to, it is difficult to decide which packets are safe to drop and which are not.

How to Mitigate and Prevent an IP/ICMP Fragmentation Attack?

The approach for preventing IP/ICMP fragmentation attacks depends on the type and extent of the attack. The most common mitigation approaches involve ensuring that malicious data packets are prevented from reaching targeted servers. This involves inspecting incoming packets to determine if they breach fragmentation rules.

One possible denial of service mitigation approach is to block all non-initial fragments, but this will result in an issue with legitimate traffic, which relies on those fragments. A better solution is to use rate-limiting, which will not block anything during peacetime, but will drop the majority of packets (both good and bad because rate-limiting has no idea what is what) and the destination under attack will be unaffected. This approach does risk creating issues with legitimate services which rely on fragments, but this trade off may be deemed worthwhile when under attack. No method will result in 100% success. If you are using services which rely on fragments, for example DNS, you can whitelist the specific servers you rely on and use rate-limiting for the rest.