RFC 3128 (rfc3128) - Page 2 of 5


Protection Against a Variant of the Tiny Fragment Attack (RFC 1858)



Alternative Format: Original Text Document



RFC 3128       Protection Against a Tiny Fragment Attack       June 2001


2. The Tiny Overlapping Fragment Attack

   The attack typically consists of sending three fragments.

   Fragment 1: (Fragment offset = 0; length >= 16)
      Includes whole header and is entirely legal.  Typically it
      describes a SYN packet initiating a new TCP connection to a port
      on the target host that is allowed to receive incoming
      connections.
      e.g., Incoming connection to port 25 SMTP.

   Fragment 2: (Fragment offset = 0; length = 8)
      Is only the first 8 bytes and could be legal depending on the
      other 8-bytes of the header, but is NOT legal combined with the
      corresponding bytes from Fragment 1.  Such a fragment includes
      only the port numbers and sequence number from the TCP header.
      Typically this packet replaces the destination port number with a
      port number on which the destination host that is not allowed to
      receive incoming connections.

   Fragment 3:  (Fragment offset >= 2; length = rest of message)
      Contains no header and completes the message.  (This third
      fragment is not part of the attack.  However Fragment 1 cannot be
      the complete message or it would be passed up to the application
      before Fragment 2 arrived so a third fragment is necessary.)

2.1 Example of the attack

   Consider the following trivial set of rules for incoming packets:

   +---+-------+-------+-------+-------+-----------------------+
   | No|Action | Source| Dest. | Flags | Purpose               |
   |   |       | Port  | Port  |       |                       |
   +===+=======+=======+=======+=======+=======================+
   | 1 |Permit | >1023 | SMTP  |  ANY  | Incoming E-mail       |
   +---+-------+-------+-------+-------+-----------------------+
   | 2 |Permit | >1023 |  ANY  |  Ack=1| Existing FTP data     |
   |   |               |       |       | channel connections.  |
   +---+-------+-------+-------+-------+-----------------------+
   | 3 |Deny   | ANY   |  ANY  |  ANY  | Default deny          |
   +---+-------+-------+-------+-------+-----------------------+

   Fragment 1: attacker(1234) -> target(SMTP) Ack=0
      This is a new SMTP connection and is permitted by rule 1.

   Fragment 2: attacker(1234) -> target(Telnet=23) Ack=absent
      All fields present conform to rule 2, as it could be the start of
      an FTP packet.



Miller                       Informational