> Seems to me that there's no reason to use the "new" data rather than > the "old" data when a new fragment arrives that overlaps > already-collected data. They're supposed to be the same; any > difference indicates that at least one of them is definitely corrupted > in a way that beat the checksum, or else you're under attack. In > either case, dropping both the incoming packet and the collected > fragments is probably the best response, seems to me. Granted.... > If you don't want to compare the bytes, then just make sure old data > takes precedence over new. No, this fails if the attacker sends the offset=1 frag first (bypassing the filter) and the offset=0 frag second (which the filter accepts, and the defragmenter throws away). The only safe scheme is always to use the data in the fragment that has the smaller fragment-offset, regardless of the order of arrival. Throwing away fragments with offset=1 is also a real good idea. -- Tom Fitzgerald 1-508-967-5278 Wang Labs, Billerica MA, USA fitz@wang.com