Network Working Group I. Miller Request for Comments: 3128 Singularis Ltd Updates: 1858 June 2001 Category: Informational Protection Against a Variant of the Tiny Fragment Attack Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract This document discusses how RFC 1858 compliant filters can be vulnerable to a variant of the "Tiny Fragment Attack" described in section 3.1 of the RFC. This document describes the attack and recommends corrective action. 1. Introduction RFC 1858 provides an excellent description of a class of attack on Internet firewalls and proposes countermeasures. However one of these countmeasures, the "Indirect Method" (section 3.2.2) is vulnerable to a combination of two of the attacks described. The attack combines the features of the "Tiny Fragment Attack" (section 3) and the "Overlapping Fragment Attack" (section 4). 1.1 The scope of the attack Where the filtering rules allow incoming connections to a machine AND there other ports which allow only outgoing connections on the same host, the attack allows incoming connections to the supposedly outgoing-only ports. Note that only the initial connection message need be fragmented. Once the connection is established further traffic on it is legal. The significance of this weakness will depend on the security policy in force. Miller Informational