Fragment Overlap Attack

31st March 2020 | Cybrary

A Fragment Overlap Attack, also known as an IP Fragmentation Attack, is an attack that is based on how the Internet Protocol (IP) requires data to be transmitted and processed. These attacks are a form of Denial of Service (DoS) attack where the attacker overloads a network by exploiting datagram fragmentation mechanisms.

To be able to understand how this attack works, we must understand how IP Fragmentation works. IP Fragmentation is a communication action where IP datagrams are broken down into smaller packets and transmitted across a network and then reassembled back into the original datagram. Fragmentation is vital for the transmitting of data, every network has its own limit on datagram packet sizes that it can process. Datagrams larger than the Maximum Transmission Unit (MTU) must be fragmented to be transmitted successfully.

These attacks are carried out in two ways, first, the attacker sends out fraudulent packets larger than the MTU can handle; these packets are forgeries and in some cases cannot be reassembled by the receiving network leading to network overload and a denial of service condition.

The second way data fragmentation attacks are is carried out is by the attacker targeting the IP assembly systems, preventing the network from putting the packets back together by sending duplicate fragments, unsequenced fragments, and fragments with reassembly instructions forged erroneously; eventually receiving server is again overloaded and a denial of service condition follows.

Source: Imperva

What does this mean for an SMB or a larger business?

A Denial of Service attack may pose a potential threat against gambling companies or other mid-to-large enterprises such as banks and defense contractors. DoS attacks are rarely used against SMB’s unless they upset a hacker group. In other cases, one hacking group attacks another hacking group. CyberHoot is not suggesting this never happens, but that the likelihood is low, and the cost of protection is often very large. CyberHoot’s advice is to know what these Denial of Service Attacks are caused by so you can recognize them when they occur, to establish a relationship with a DDoS protection vendor without purchasing protection, investigate purchasing cyber insurance to invoke if you ever experience an attack, and being prepared to engage when and if you experience an attack.

Distributed Denial of Service Vendors

NetScout (formerly Arbor Networks), AT&T Cloud Protection, Verizon DDoS Prevention Services, and Akamai DDoS Protection. Mid-to-Large enterprises may want to purchase DDoS protection contracts and preprovision the protection services with their Content Delivery Network solutions so they can activate protection in seconds if they are hit by a DDOS attack. SMB’s should not.