Home > CAPEC List > CAPEC-495: UDP Fragmentation (Version 3.2)  

CAPEC-495: UDP Fragmentation

Attack Pattern ID: 495
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.
+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.130Excessive Allocation

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Prerequisites
This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data.
+ Mitigations
This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.
+ References
[REF-424] Yossi Gilad and Amir Herzberg. "Fragmentation Considered Vulnerable". 2012. <http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019