IP fragmentation relies on the reconstruction of the TCP packet to determine if the packet arrived successfully (if you drop a fragmented IP packet, the TCP packet will not reconstruct and so a NAK will be sent for that TCP packet). The reason that the data MAY be split twice is simple. You have no way of knowing a priori what the restrictions are for the network layer beyond your LAN. Therefore, TCP will create packets that meet TCP packet limitations and IP packet limitations on your LAN.

If you pass through a network that has IP limitations that are more stringent than yours, the network equipment will split (fragment) your IP packet into two or more IP packets, each containing a portion of your TCP payload. If, on the other end of your connection, the TCP packet is not completely reconstructed (that is why it has both a length and a CRC) then the receiver will send a NAK (Not Acknowledged) packet back to your system which will reissue the same TCP packet, and follow the same process (probably). It is highly unusual to see a fragmented IP packet on a LAN, since there are not any transmission systems involved that would require differing MTU (Maximum Transmission Unit) sizes.

The three-way handshake of TCP is only to provide a 'connection oriented' protocol, not for reliable (not secure) data transport. It is the sequence numbering and ACK/NAK protocol that provides reliable data transport.

Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly. These only consider the properties of each individual fragment, and let the fragments through to final destination. One such attack involving fragments is known as the tiny fragment attack.

Two TCP fragments are created. The first fragment is so small that it does not even include the full TCP header, particularly the destination port number. The second fragment contains the remainder of the TCP header, including the port number. Another such type of malicious fragmentation involves fragments that have illegal fragment offsets.

A fragment offset value gives the index position of this fragment's data in a reassembled packet. The second fragment packet contains an offset value, which is less than the length of the data in the first packet. E.g..

If the first fragment was 24 bytes long, the second fragment may claim to have an offset of 20. Upon reassembly, the data in the second fragment overwrites the last four bytes of the data from the first fragment. If the unfragmented packet were TCP, then the first fragment would contain the TCP header overwriting the destination port number.
Some firewalls configuration can be remotely changed through the Internet, when a Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules.
Today to provide better security, two popular block cryptographic algorithms (3DES and AES) are implemented to decrypt control packets.

For protection from the UDP flood attack, the source IP address of all the UDP packets sent to firewall`s IP address will be changed. C.O.M.O.D.O Personal Firewall will detect when a UDP packet reaches the destination and can not be delivered to any application by listening for ICMP port unreachable packets. Once detect, C.O.M.O.D.O Personal Firewall will be updated to block additional packets. Additional UDP packet going to the same destination/port pair will then be dropped.

There are several common attack methods known by the Internet community. They are divided into two main categories: flood attacks and malformed packet attacks:
But, since your question is regarding 'malformed packet attacks', then I will skip the 'flood attacks' part for now.

The malformed packet attack is another wide-spread type of DoS attack. The purpose of this attack is to send ill-formed packets to hosts and take advantage of the bad design of the code that processes the packets. Effects range from unacceptable degradation of performance to system
crashes.

There're several malformed packet attacks:
Ping of Death Attack consists of sending an ICMP echo packet that is much larger than the maximum IP packet size (64 Kbytes). At destination, some TCP/IP implementations fail to
reconstruct the packet, crashing or rebooting the system.

Chargen Attack This is a variant of the UDP Flood Attack and uses the port 19 (chargen) of an intermediary system used as an amplifier. The attacker sends a forged UDP packet on port 19 of the intermediary system which in turn replies with a string of characters back to the victim, on its echo service port. The victim then sends back an echo of the string and the loop created rapidly exhausts the bandwidth between the victim and the intermediary system.

Teardrop Attack Due to poor implementation, some systems fail to correctly cope with packet
fragments that have incorrect offsets, making proper reassembly impossible. Instead of gracefully
discarding the packets, the implementations in question simply reboot or halt the system.

Land Attack Astoundingly, some systems crash or reboot when they encounter a forged packet which contains the same address as both the origin and the destination.

Win Nuke Attack This type of attack is specifically targeted against Windows machines to
which attackers send out-of-band data to a specific port, causing the system to crash or reboot.