首页 > Technology > 正文

What Is an IP Fragmentation Attack? Complete Guide to Risks, Types & Mitigation

fenij 2026-07-14 13 Technology

Introduction

IP fragmentation is a built-in mechanism of the IPv4 protocol designed to solve transmission conflicts when an IP datagram exceeds the Maximum Transmission Unit (MTU) of a network link (the standard Ethernet MTU is 1500 bytes). When a large packet travels across routers, it is split into smaller IP fragments, each carrying a fragment offset, identification number and flag bits. The destination host buffers all fragments and reassembles them into the original complete packet before upper-layer processing.

While fragmentation ensures cross-network compatibility, the reassembly logic on end devices and network firewalls contains inherent security flaws. Attackers exploit these weaknesses by crafting malformed, overlapping or excessive fragmented packets to launch IP fragmentation attacks, which can trigger system crashes, resource exhaustion, firewall bypass or intrusion detection evasion. This article breaks down the core mechanics, mainstream attack variants, real-world impacts and actionable defense strategies for IP fragmentation abuse.

Core Working Principle of IP Fragmentation

To understand the attack vector, we first clarify how legitimate IP fragmentation works:

  1. MTU Threshold Trigger: If an IP datagram length > link MTU, intermediate routers split the payload into fragments. Each fragment retains an IP header with three critical fields:
  • Identification ID: All fragments from the same original packet share an identical ID, so the receiver groups them for reassembly.
  • MF (More Fragments) Flag: Set to 1 for all pieces except the final fragment; 0 marks the last fragment.
  • Fragment Offset: Measured in 8-byte units, indicating where the fragment’s payload sits in the full datagram. The legal maximum offset value is 8191, and the total combined size of all fragments cannot exceed IPv4’s theoretical limit of 65535 bytes.
  1. End-Side Reassembly: The target host allocates temporary memory buffers to cache incoming fragments matching the same ID. Once all fragments arrive, the system rearranges payloads by offset and reconstructs the full packet for TCP/UDP processing.
  2. Attack Surface Formation: All security risks stem from flawed reassembly logic. Outdated protocol stacks, stateless firewalls and under-resourced network devices fail to validate abnormal fragment parameters, allowing malicious crafted fragments to disrupt normal processing.

Three Major Categories of IP Fragmentation Attacks

IP fragmentation attacks fall into three core threat categories: Denial of Service (DoS), traffic evasion and data corruption attacks.

1. Denial of Service (DoS) Attacks – Resource Exhaustion & System Crash

This is the most common exploitation method, aiming to paralyze target hosts or network devices by overloading memory, CPU or triggering memory corruption vulnerabilities.

Classic Variant 1: Ping of Death

IPv4 limits the full datagram to 65535 bytes. Attackers send an ICMP Echo Request (ping packet) with a payload large enough that the sum of fragmented segments exceeds 65535 bytes after reassembly. Legacy operating systems (Windows 98 and earlier, old Linux kernels) pre-allocate a fixed 65535-byte buffer for reassembly. Oversized fragment combinations cause buffer overflow, triggering system freezes, blue screens or permanent downtime. Modern OS patches have fixed this overflow flaw, but the attack logic still applies to poorly maintained embedded devices (IoT cameras, industrial controllers).

Classic Variant 2: Teardrop Attack

The signature of teardrop attacks is overlapping fragment offsets. Attackers forge two sequential fragments where the offset of the second segment starts inside the payload range of the first fragment. For example:

  • Fragment 1: Offset = 0, payload length 1400 bytes (covers byte 0–1399)
  • Fragment 2: Offset = 100 (800 bytes into the original packet), payload length 1200 bytes (covers byte 800–1999)

When the receiver attempts to merge overlapping payload regions, flawed reassembly algorithms perform illegal memory read/write operations, leading to kernel panics, service crashes or unresponsive network stacks. Derivative variants include “bonk” and “newtear”, which use irregular offset gaps to create unresolvable fragment holes.

Resource Exhaustion Fragment Flood

Attackers blast massive volumes of unique fragmented streams toward a target. Each unique packet ID forces the victim to allocate dedicated memory buffers. A flood of thousands of unfinished fragment sequences consumes all available RAM; the device cannot allocate memory for new traffic and drops all legitimate connections. Additional abuse includes sending fragments with extremely large offset values, forcing the system to reserve unreasonably large memory blocks for reassembly.

2. Firewall & IDS/IPS Evasion Attacks

Stateless firewalls and signature-based intrusion detection systems inspect individual packets in isolation without full fragment reassembly. Attackers split malicious traffic across multiple fragments to bypass security rules:

  1. Split malicious TCP/UDP header data across two fragments: The first fragment passes firewall policy checks independently, while the second overlapping fragment overwrites critical header fields during reassembly.
  2. After recombination, the complete packet contains forbidden payload (malware signatures, attack commands), which the security device never detects because it only scanned isolated fragments.
  3. Threat actors also use tiny “micro-fragments” to split attack signatures across dozens of small segments, evading pattern matching rules in IDS platforms.

3. Packet Corruption & Policy Bypass Attacks

Overlapping fragments can rewrite transport-layer headers post-reassembly to alter traffic attributes:

  • Modify destination port numbers to bypass ACL access control lists;
  • Tamper with TCP flags to disguise malicious connection attempts as normal legitimate traffic;
  • Destroy TCP/UDP checksum values, confusing traffic auditing tools and disrupting session tracking.

Real-World Impact of IP Fragmentation Attacks

  1. Business Service Outage: DoS variants take down web servers, ERP systems and industrial control equipment, causing revenue loss and production halts.
  2. Security Control Failure: Evasion techniques bypass firewalls and intrusion prevention, enabling malware infiltration, remote code execution and data exfiltration.
  3. Device Instability: Unpatched IoT, routers and switches frequently crash under fragment abuse, disrupting office or campus network connectivity.
  4. Audit Blind Spots: Corrupted fragmented traffic breaks logging and traffic monitoring, making post-incident forensics extremely difficult.

Complete Mitigation & Defense Solutions

Defense requires layered protection across host systems, network boundary hardware and security policy configuration.

1. Host Operating System Hardening

  • Deploy all official OS security patches: Modern Windows, Linux and macOS kernels have fixed buffer overflow and overlapping fragment processing flaws that enabled Ping of Death and teardrop attacks.
  • Configure OS-level fragment limits: Restrict the maximum time unassembled fragments stay buffered (recommended timeout: 10–30 seconds) to free memory quickly.
  • Disable IP fragmentation for non-essential services where MTU matching is controllable.

2. Firewall & Network Device Configuration

  • Enable virtual fragment reassembly on all border firewalls, routers and IPS devices: Reconstruct all fragments before security inspection to eliminate evasion opportunities.
  • Filter malformed fragments via ACL rules: Reject packets with conflicting fragment flags, illegal offset values, overlapping payload ranges or oversized combined datagrams exceeding 65535 bytes.
  • Set fragment traffic rate limits: Cap the number of concurrent fragment sequences per source IP to block fragment flood DoS attacks.
  • Discard ultra-small micro-fragments (payload < 8 bytes) by default, as legitimate traffic rarely requires such tiny segments.

3. Network Architecture Optimization

  • Standardize MTU values across internal networks to reduce unnecessary fragmentation: Set endpoints to 1480 or 1500 bytes to avoid router splitting.
  • Enable Path MTU Discovery (PMTUd) to automatically adjust packet sizes and eliminate fragmentation at intermediate routers.
  • Deploy dedicated DDoS mitigation appliances at internet ingress points to filter malicious fragmented traffic before it reaches internal servers.

4. Monitoring & Threat Detection

  • Enable logging for all discarded abnormal fragments to alert administrators of potential attack attempts.
  • Configure IDS signature rules to detect repeated overlapping offsets, oversized fragment sequences and abnormal micro-fragment streams.
  • Track memory and CPU utilization spikes linked to fragment reassembly as early warning signs of ongoing fragmentation attacks.

Conclusion

IP fragmentation is a necessary IPv4 function, yet its reassembly logic creates a persistent attack vector that threat actors continue to exploit for DoS, security bypass and data tampering. While legacy critical vulnerabilities like Ping of Death have been patched on mainstream systems, underprotected IoT and industrial hardware remain high-risk targets.

A comprehensive defense strategy combines regular system patching, boundary firewall fragment validation, traffic rate limiting and continuous threat monitoring. By eliminating unvalidated fragment processing at every network layer, organizations can fully mitigate the risks posed by IP fragmentation attacks and harden their TCP/IP stack against exploitation.