In this lecture, I'm going to be talking about IP fragmentation attack, how to detect it, and how to mitigate it. Let's start with the basic definition. fragmentation is an Internet Protocol process that breaks packets into smaller pieces, which are called fragments so that the resulting pieces can pass through a link with smaller maximum transmission amount that is MTU. And the original packet size fragments are assembled by the receiving host. So here actually we have two important concepts I can say. The first one is the MTU, the maximum transmission unit, in case you don't know what it is, I recommend you to go back and refresh your knowledge on that.

And the second important thing is the fact that the fragments are reassembled by the receiving host. These are the two things that make this attack possible. Here the attacker exploits the fact that whenever the size of an IP packet is bigger than maximum transmission, you Or MTU the router on the destination site is going to fragment it. In other words, the attacker sends such packets that they will be first fragmented by the router and then assembled at the targeted host. And of course, such packets will be sent over and over to cause a denial of service. Let me also quickly draw you so that you can understand it in a better way.

Suppose that we have such a router here and the big IP packet is coming to the router. If this packet is specially crafted, the router will try to fragment it and forward it to the destination. In this case, the targeted host will try to assemble it at its end. Obviously, the attacker will not stop after just one big IP packet. It will send many many such big packets and all of them will go to destination in the same way and destination will try to assemble all of them. Basically in the short future, this nation will be out of memory and the host will no longer be able to serve it services.

Now, of course, the question is, why does the router behave like that? What is the setting that the attacker sets in the packet, so that you know, it allows the malformed packets pass through the router. There goes the settings and here is the IP header shown. But we are not going to actually be focusing on the whole header for this attack. We will be rather focused on the flat section and especially on those two flex first one is the bit one, which indicates whether this packet to be fragmented or not, obviously the attacker wants it to be fragmented. Therefore he sets it to zero.

And as per bit to the attacker sets to one in order to indicate to the destination host that more fragments are coming and therefore keep listening That is keep your resources busy for me. And how does it look like on Wireshark how to detect this attack vector, there it goes. For IP fragmentation attack, this is the filter you need to use on Wireshark. After applying it, oftentimes This is more or less what you should get. As you can see, this nation is trying to assemble all the fragmented packets. And if you do investigate even more deeply, this is what you will see.

This is actually also what we discussed. We haven't discussed this part because this is a default setting. But these two bits we have discussed are important. Don't fragment is set to zero. So it will be fragmented and more fragments are coming is set to one. So yeah, the attacker wants to destination to expect more fragments while at the same time.

In the background, he opens new connections and repeats the same things to exploit more resources. So after all these, how to mitigate? Well, the most obvious one is to disable fragmentation on your router, if possible. In other words, regardless of what packet is coming, you can just ignore all the fragmented packets. So if a packet demands fragmentation, you can just drop that packet at the router. However, this will have its own complications depending on the surface you earn.

So unfortunately, in real life, this is not always that great or possible at all. And if that's the case, basically the best method to detect mitigate such an attack is inspecting incoming packets for violations of fragmentation rules constantly. And for that, we will have to use either a router Secure proxy defining those rules for fragmentation will be up to you. It will depend on your environment. But I can tell you that you will have to define a minimum limit and a maximum limit either way. Finally, I'd like to also mention that this concept that I have explained in this lecture, I mean, the fragmentation concept is analogous to another famous attack, which is TCP teardrop attack, because it uses the same methodology.

Not only that, there are also other kinds of fragmentation attacks as well, like on ICMP and UDP protocols. And the concept is exactly the same. In other words, whenever you hear another kind of fragmentation attack, like it can be a UDP fragmentation or ICMP fragmentation attack, you can make sure that the concept is going to be exactly the same How I described here in this lecture for IP fragmentation.