Network Working Group I. Miller
Request for Comments: 3128 Singularis Ltd
Updates: 1858 June 2001
Category: Informational
Protection Against a Variant of the Tiny Fragment Attack
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document discusses how RFC 1858 compliant filters can be
vulnerable to a variant of the "Tiny Fragment Attack" described in
section 3.1 of the RFC. This document describes the attack and
recommends corrective action.
1. Introduction
RFC 1858 provides an excellent description of a class of attack on
Internet firewalls and proposes countermeasures. However one of
these countmeasures, the "Indirect Method" (section 3.2.2) is
vulnerable to a combination of two of the attacks described.
The attack combines the features of the "Tiny Fragment Attack"
(section 3) and the "Overlapping Fragment Attack" (section 4).
1.1 The scope of the attack
Where the filtering rules allow incoming connections to a machine AND
there other ports which allow only outgoing connections on the same
host, the attack allows incoming connections to the supposedly
outgoing-only ports.
Note that only the initial connection message need be fragmented.
Once the connection is established further traffic on it is legal.
The significance of this weakness will depend on the security policy
in force.
Miller Informational