Fragmentation attacks are an abuse of the fragmentation offset feature of IP packets. Fragmentation occurs when there are many different network links connected to construct a global infrastructure. Some network segments support smaller datagrams (another term for packet or frame) than others, so larger datagrams are fragmented into the smaller, more compatible size. When the fragmented elements of the original datagram reassemble, manipulations of fragmentation can cause several potentially malicious reconstructions, such as overlapping and overrun. Think of the transporter on Star Trek: If anything gets in the way of the reassembly of the person being transported, you might end up with an evil Mr. Spock with a goatee.

Overlapping can cause full or partial overwriting of datagram components, creating new datagrams out of parts of previous datagrams. Overrun can result in excessively large datagrams. Other fragmentation attacks cause DoS or confuse IDS detection and firewall filtering.

Protections against fragmentation attacks include modern IDS detection and firewall- filtering features, as well as performing sender fragmentation. Sender fragmentation queries the network route to determine the smallest maximum transmission unit (MTU) or datagram size. The sender then pre-fragments the data to ensure that no fragmentation needs to occur en route. “Beam me up, Mr. Scott—and make sure I get back all in one piece.”