IP fragmentation

The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network.

This can crash various operating systems because of a bug in their TCP/IP fragmentation re-assembly code.

IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.

For best performance, the MSS should be set small enough to avoid IP fragmentation, which can lead to packet loss and excessive retransmissions.

IP fragmentation is dealt with the connection tracking subsystem requiring defragmentation, though TCP segmentation is not handled.

IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size.

IP fragmentation can cause excessive retransmissions when fragments encounter packet loss and reliable protocols such as TCP must retransmit all of the fragments in order to recover from the loss of a single fragment.

The second is to run the path MTU discovery algorithm, described in RFC 1191, to determine the path MTU between two IP hosts, so that IP fragmentation can be avoided.

Some network cards implement TSO generically enough that it can be used for offloading fragmentation of other transport layer protocols, or by doing IP fragmentation for protocols that don't support fragmentation by themselves, such as UDP.

The helpers only inspect one packet at a time, so if vital information for connection tracking is split across two packets, either due to IP fragmentation or TCP segmentation, the helper will not necessarily recognize patterns and therefore not perform its operation.

Furthermore, TCP senders can use path MTU discovery to infer the minimum MTU along the network path between the sender and receiver, and use this to dynamically adjust the MSS to avoid IP fragmentation within the network.

Prior to DNSSEC, DNS requests primarily used short UDP packets, but due to the size of DNSSEC exchanges, and shortcomings of IP fragmentation, UDP is less practical for DNSSEC.