Fragmentation attacks are a type of network-based Denial of Service (DoS) attack that exploit how systems reassemble fragmented packets.
How Fragmentation Attacks Work
When data packets exceed the maximum transmission unit (MTU) of a network, they are split into smaller fragments. The receiving system must reassemble these fragments to reconstruct the original packet. In a fragmentation attack, attackers send fragmented packets that are either oversized, overlapping, or incomplete. This forces the target system to allocate resources for reassembly or causes a buffer overflow, leading to system instability or crashes
What Fragmentation Attacks Look Like in Logs
1. Overlapping or Malformed Fragments
Logs may show fragmented packets with abnormal offsets or overlapping sequences.
Log Example (Firewall Logs):
[Nov 21 18:30:01] Fragment: Src=192.168.1.100 Dst=10.0.0.1 ID=54321 Offset=100 Overlap=True
[Nov 21 18:30:02] Fragment: Src=192.168.1.101 Dst=10.0.0.1 ID=54322 Offset=50 Overlap=True
Signs:
- Abnormal fragment offsets in consecutive packets.
- Overlapping or missing data in fragments.
2. Excessive Fragmentation
Logs may show an unusual number of fragmented packets from the same source.
Log Example (Firewall Logs):
[Nov 21 18:31:01] Fragment: Src=192.168.1.150 Dst=10.0.0.1 ID=54323 Offset=0 MoreFragments=True
[Nov 21 18:31:02] Fragment: Src=192.168.1.150 Dst=10.0.0.1 ID=54323 Offset=1000 MoreFragments=True
[Nov 21 18:31:03] Fragment: Src=192.168.1.150 Dst=10.0.0.1 ID=54323 Offset=2000 MoreFragments=True
Signs:
- High frequency of fragmented packets from a single IP address.
- Fragmented packets with abnormal patterns or sizes.