RFC 1858 (rfc1858) - Page 3 of 10


Security Considerations for IP Fragment Filtering



Alternative Format: Original Text Document



RFC 1858    Security Considerations - IP Fragment Filtering October 1995


3. Tiny Fragment Attack

   With many IP implementations it is possible to impose an unusually
   small fragment size on outgoing packets.  If the fragment size is
   made small enough to force some of a TCP packet's TCP header fields
   into the second fragment, filter rules that specify patterns for
   those fields will not match.  If the filtering implementation does
   not enforce a minimum fragment size, a disallowed packet might be
   passed because it didn't hit a match in the filter.

   STD 5, RFC 791 states:

      Every internet module must be able to forward a datagram of 68
      octets without further fragmentation.  This is because an internet
      header may be up to 60 octets, and the minimum fragment is 8
      octets.

   Note that, for the purpose of security, it is not sufficient to
   merely guarantee that a fragment contains at least 8 octets of data
   beyond the IP header because important transport header information
   (e.g., the CODE field of the TCP header) might be beyond the 8th data
   octet.

   3.1 Example of the Tiny Fragment Attack

      In this example, the first fragment contains only eight octets of
      data (the minimum fragment size).  In the case of TCP, this is
      sufficient to contain the source and destination port numbers, but
      it will force the TCP flags field into the second fragment.

      Filters that attempt to drop connection requests (TCP datagrams
      having SYN=1 and ACK=0) will be unable to test these flags in the
      first octet, and will typically ignore them in subsequent
      fragments.

      FRAGMENT 1

      IP HEADER
      +-+-+-+     +-+-+-+-+-+-+-+-+-+-+-+     +-+-+-+
      |     | ... | Fragment Offset = 0 | ... |     |
      +-+-+-+     +-+-+-+-+-+-+-+-+-+-+-+     +-+-+-+

      TCP HEADER
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |        Source Port            |       Destination Port        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Sequence Number                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Ziemba, Reed & Traina        Informational