Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Disguising a malicious payload within overlapping IP fragments is less reliable when compared to other firewall-evasion techniques. However, the impact to a business can be significant if the attacker successfully delivers malware or arbitrary code to a target device.
The system might change the risk score for this detection.
Kill Chain
Risk Score
61
Large payloads are often broken into smaller fragments before they traverse a network. Each fragment is assigned a header that contains the destination IP address and the reassembly order for the entire payload. If the reassembly order in the headers overlaps, operating systems overwrite fragments. Attackers can hide malicious payloads within one or more overlapping fragments, which helps attackers evade the firewalls, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs) that only inspect one fragment, while allowing additional fragments to pass uninspected. However, this evasion technique is only effective if the overlapping fragments are reassembled by the target device in a way that the attacker intends. The majority of current firewalls, IDSs, and IPSs prevent this technique by inspecting every fragment.
Make sure firewalls and detection systems are updated to the latest versions, which can prevent overlapping IP fragmentation
