Fragmentation considered vulnerable

Yossi Gilad, Amir Herzberg

Research output: Contribution to journalArticlepeer-review

23 Scopus citations


We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off -path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and causing over 94% loss rate. We show that our attacks are practical through experimental validation on popular industrial and opensource products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context. The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters. We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.

Original languageAmerican English
Article number16
JournalACM Transactions on Information and System Security
Issue number4
StatePublished - Apr 2013
Externally publishedYes


  • Denial of service
  • IP fragmentation


Dive into the research topics of 'Fragmentation considered vulnerable'. Together they form a unique fingerprint.

Cite this