Most networks rely on an Intrusion Detection System (IDS)—a digital security guard that inspects traffic for known “bad” patterns (signatures) and raises an alert if it spots trouble. Attackers, however, have tricks to slip past that guard. One of the most effective is packet fragmentation.
What Is Packet Fragmentation?
- Normal Behavior:
When you send data across the internet, it travels in chunks called packets. Large packets sometimes get split (“fragmented”) by routers so they can move through networks with smaller size limits, then get reassembled at their destination. - Malicious Twist:
An attacker deliberately breaks a malicious payload into many tiny fragments—often out of order or overlapping—before sending them. Many older or poorly tuned IDS sensors inspect each packet individually. Because the signature is split into pieces, the IDS never sees the full pattern and lets the traffic through. The target host, which dutifully reassembles the fragments, receives the complete malicious payload.
How Defenders Counter Fragmentation Tricks
- Reassembly at the Sensor:
Modern IDS/IPS systems can virtually reassemble fragments before inspection, ensuring they see the full payload. - Tight Fragment Policies:
Network devices can block overly small or suspiciously overlapping fragments. - Deep Packet Inspection (DPI):
DPI engines correlate fragments and check session context, making it harder for attackers to hide.
Key Takeaway
Packet fragmentation is the textbook example of evading IDS signature detection: split the attack into harmless-looking pieces, then rely on the target to put it back together. Knowing this tactic—and how modern defenses mitigate it—helps security teams keep their digital guards alert and effective.
Leave a Reply