This post appeared on firewalls a couple days ago, and CIAC just issued advisory F-25 for the same problem. The "discussion" Paul refers to didn't happen on Firewalls. Does anyone have any more information on this? -Mike mcn@EnGarde.com ---- Begin included message ---- From: Paul Traina <pst@Shockwave.COM> Date: Fri, 02 Jun 1995 15:21:49 -0700 Subject: IP packet filtering...the non-obvious fix Since enough discussion has occured on this list to reproduce the design flaw, it shouldn't hurt for me to propose an alternate fix, as the ones I've seen proposed don't cover every possibility. There is really only one way you can be sure of fixing this, since you can't control what algorithm the remote host uses for fragmentation reassembly. It *doesn't* involve checking the length of packets before examining the flags, hence the comment in the cisco advisory stating that we think others have a problem too. If you are doing something that needs to examine tcp flag bits and the packet is a tcp packet and the fragment offset in the IP header is 1 then consider the packet suspect (do whatever you do with evil stuff) Obviously, you'd want to code this in the most efficient manner for your particular implementation, but those are the checks that could be performed to detect this problem (you could just consider suspect all packets with FO=1 if you want to use a hammer on the problem). RFC791 demands that an IP stack must be capable of passing an 8 byte IP data payload without further fragmentation (fragments sit on 8 byte boundaries). Since an IP header can be up to 60 bytes long (including options), this means that the minimum MTU on a link should be 68 bytes. A typical IP header is only 20 bytes long and can therefore carry 48 bytes of data. No one in the real world should EVER be generating a TCP packet with FO=1, as it would require both that a previous system fragmenting IP data down to the 8 byte minimum and a 60 byte IP header. The only time you're ever likely to see a packet with FO=1 is if a bad guy is knocking at your door. Yours for a safer Internet, Paul p.s. I am not speaking in any capacity for a company whose name begins with 'c'. --- End included message ---