Home > CAPEC List > CAPEC-495: UDP Fragmentation (Version 2.9)  

CAPEC-495: UDP Fragmentation

UDP Fragmentation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 495
Abstraction: Standard
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.

+ Attack Prerequisites
  • This type of an attack requires the attacker to be able to generate fragmented IP traffic containing crafted data.

+ Solutions and Mitigations

This attack may be mitigated by changing default cache sizes to be larger at the OS level. Additionally rules can be enforced to prune the cache with shorter timeouts for packet reassembly as the cache nears capacity.

+ References
Yossi Gilad and Amir Herzberg. "Fragmentation Considered Vulnerable". 2012. <http://u.cs.biu.ac.il/~herzbea/security/12-03%20fragmentation.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 07, 2015