RFC 3128 (rfc3128) - Page 2 of 5
Protection Against a Variant of the Tiny Fragment Attack (RFC 1858)
Alternative Format: Original Text Document
RFC 3128 Protection Against a Tiny Fragment Attack June 2001
2. The Tiny Overlapping Fragment Attack
The attack typically consists of sending three fragments.
Fragment 1: (Fragment offset = 0; length >= 16)
Includes whole header and is entirely legal. Typically it
describes a SYN packet initiating a new TCP connection to a port
on the target host that is allowed to receive incoming
connections.
e.g., Incoming connection to port 25 SMTP.
Fragment 2: (Fragment offset = 0; length = 8)
Is only the first 8 bytes and could be legal depending on the
other 8-bytes of the header, but is NOT legal combined with the
corresponding bytes from Fragment 1. Such a fragment includes
only the port numbers and sequence number from the TCP header.
Typically this packet replaces the destination port number with a
port number on which the destination host that is not allowed to
receive incoming connections.
Fragment 3: (Fragment offset >= 2; length = rest of message)
Contains no header and completes the message. (This third
fragment is not part of the attack. However Fragment 1 cannot be
the complete message or it would be passed up to the application
before Fragment 2 arrived so a third fragment is necessary.)
2.1 Example of the attack
Consider the following trivial set of rules for incoming packets:
+---+-------+-------+-------+-------+-----------------------+
| No|Action | Source| Dest. | Flags | Purpose |
| | | Port | Port | | |
+===+=======+=======+=======+=======+=======================+
| 1 |Permit | >1023 | SMTP | ANY | Incoming E-mail |
+---+-------+-------+-------+-------+-----------------------+
| 2 |Permit | >1023 | ANY | Ack=1| Existing FTP data |
| | | | | channel connections. |
+---+-------+-------+-------+-------+-----------------------+
| 3 |Deny | ANY | ANY | ANY | Default deny |
+---+-------+-------+-------+-------+-----------------------+
Fragment 1: attacker(1234) -> target(SMTP) Ack=0
This is a new SMTP connection and is permitted by rule 1.
Fragment 2: attacker(1234) -> target(Telnet=23) Ack=absent
All fields present conform to rule 2, as it could be the start of
an FTP packet.
Miller Informational