IP fragmentation occurs when packets are broken up into smaller pieces (fragments) so they can pass through a link at a smaller maximum transmission unit (MTU) than the original (larger) packet size. The fragments are then put back together by the host receiving them, or destination host.

IP fragmentation can cause problems when fragments are affected by packet loss and cause excessive retransmissions. This can cause performance issues. To recover the loss of a fragment, protocols, like TCP, retransmit fragments in order to reassemble them. Fragmented traffic can also be crafted to evade intrusion detection systems and be used maliciously.

Putting Fragments Back Together

If your network is fragmenting packets for transmission, the destination host will require information to put them back reassemble them.

  • Fragment ID: The IP header will contain an identifier to recognize all of the fragments of the packet.
  • Place and Offset: Identifies the position of the fragment in the packet.
  • Length: Indicates the length of the data in the fragment.
  • MF Flag: Indicates whether there are more fragments of the packet in the transmission.

Diagnosing Network Issues Caused by Fragmentation

You may identify fragmentation issues by performance slowdowns, or there may be other symptoms, such as:

  • The hosts can ping one another
  • A service or port may be accessible using telnet
  • Persistent, and potentially severe, application issues
  • Partial page loads
  • Hosts appearing to hang

If you recognize the symptoms of this issue you can perform testing to confirm your suspicions. You can use a telnet session to verify connectivity. If the connectivity is there but you’re still seeing performance issues that indicate a lack of connectivity, you are likely experiencing a fragmentation issue.

You can also use a network analyzer to help identify the issue. Some software offers a network visualizer that can trace your network path by path to identify issues.

How to Avoid Fragmentation

In order to avoid IP fragmentation, you must determine the size of the IP packets to send over the network. There are two approaches that are generally used; path MTU discovery and setting maximum segment size (MSS).

Path MTU Discovery – This technique is used to identify MTU end-to-end to prevent packet fragmentation. Send an internet control message protocol (ICMP) packet to the desired destination with the don’t fragment (DF) bit setting turn on. When sent on a network that would require fragmentation, a Layer 3 device will discard the package and send an ICMP message back containing the MTU value needed to avoid fragmentation. The packet will then be re-sent at that MTU value and will not be fragmented. This method won’t work if ICMP is blocked on firewalls and packet filtering devices.

Set Maximum Segment Size (MSS) – By setting the MSS for TCP traffic, devices will inspect the inbound TCP synchronize/start (SYN) packets and set an MTU value that does not require fragmentation. Your ideal MSS setting will be less than your MTU to avoid unnecessary fragmentation, but you don’t want it to be too small or you’ll run into performance issues. You can also use the MSS value to assess network performance for data transfer efficiency.

Avoiding IP Fragmentation Attacks

In addition to causing network inefficiencies and performance issues, IP fragmentation can lead to security issues as well. IP fragmentation attacks are a form of DDoS attack where the fragmentation mechanisms overwhelm the target network.

There are two known ways that fragmentation can be exploited.

UDP and ICMP Fragmentation Attacks

This type of attack sends fraudulent UDP or ICMP packets that exceed the MTU of the network. Since the packets aren’t real, they can’t be reassembled, but the network will continue to retransmit them. This overwhelms the server and may take it out altogether.

TCP Fragmentation Attacks

The best-known form of this attack is the Teardrop attack, which exploited a vulnerability in old versions of Windows. These kinds of fragmentation attacks target TCP/IP reassembly mechanisms by preventing them from putting fragmented packets together. Data packets begin to overlap and overwhelm the server, which can cause it to fail.

You can protect your network from these kinds of attacks by setting fragmentation rules and inspecting incoming data packets for things that violate those rules, like using a router or a secured proxy.

Setting Your Network Up for Success

IP fragmentation is useful and often necessary to transmit data across your network. By setting your network up to transmit data efficiently and protecting it from attacks, you should avoid some of the common issues we discussed here.