Virtual Fragmentation Reassembly

Hi Team,
Good day to you.
Based on the below logs from the router, seeking your guidance

I am not sure which category this belongs to and appreciate if you could link instead.

Thank you team.

Hello Nor

In order to understand these logs, let’s first talk about fragmentation, as well as fragmentation attacks.

Fragmentation takes place during encapsulation. When an IP packet is too large to fit into a single frame, it is fragmented into two or more frames before it is sent off. This fragmentation means that the IP packet must be reassembled when it reaches its destination. More about this encapsulation process can be found here:

Now some may use fragmentation to deliver a DoS attack. The reassembly of fragmented IP packets can be resource-intensive, for both CPU and memory. Attackers can create excessively fragmented dummy IP packets using various methods, to cause servers to be overwhelmed with the reassembly of these dummy packets, causing service outages. In order to mitigate against such attacks, network devices such as routers are configured to detect these fragments and deny them, in much the way your router has done here.

Now by default, a device will support up to 16 fragments, but any more will cause an overflow. More info about this can be found here:

Now you must assess if this is a problem with downstream routers and devices, or if this is indeed a fragmentation attack. You should attempt to resolve the problem by either determining if it is your network creating these fragments (in which case you should troubleshoot to solve it) or if they are coming from outside your network (i.e. the Internet) in which case it may be a fragmentation attack.

I hope this has been helpful!


1 Like

thank you for this informative feedback Laz

1 Like