RFC 1858 (rfc1858) - Page 3 of 10
Security Considerations for IP Fragment Filtering
Alternative Format: Original Text Document
RFC 1858 Security Considerations - IP Fragment Filtering October 1995
3. Tiny Fragment Attack
With many IP implementations it is possible to impose an unusually
small fragment size on outgoing packets. If the fragment size is
made small enough to force some of a TCP packet's TCP header fields
into the second fragment, filter rules that specify patterns for
those fields will not match. If the filtering implementation does
not enforce a minimum fragment size, a disallowed packet might be
passed because it didn't hit a match in the filter.
STD 5, RFC 791 states:
Every internet module must be able to forward a datagram of 68
octets without further fragmentation. This is because an internet
header may be up to 60 octets, and the minimum fragment is 8
octets.
Note that, for the purpose of security, it is not sufficient to
merely guarantee that a fragment contains at least 8 octets of data
beyond the IP header because important transport header information
(e.g., the CODE field of the TCP header) might be beyond the 8th data
octet.
3.1 Example of the Tiny Fragment Attack
In this example, the first fragment contains only eight octets of
data (the minimum fragment size). In the case of TCP, this is
sufficient to contain the source and destination port numbers, but
it will force the TCP flags field into the second fragment.
Filters that attempt to drop connection requests (TCP datagrams
having SYN=1 and ACK=0) will be unable to test these flags in the
first octet, and will typically ignore them in subsequent
fragments.
FRAGMENT 1
IP HEADER
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
| | ... | Fragment Offset = 0 | ... | |
+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+
TCP HEADER
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ziemba, Reed & Traina Informational