Ataque
consistente en fragmentar los paquetes TCP en partes IP tan pequeñas como para
dividir la cabecera y engañar a los filtros que analizan la información en la
cabecera para tomar decisiones respecto de los paquetes TCP.
With many IP
implementations it is possible to impose an unusually small fragment size on
outgoing packets. If the fragment size is made small enough to force some of a
TCP packet's TCP header fields into the second fragment, filter rules that
specify patterns for those fields will not match. If the filtering
implementation does not enforce a minimum fragment size, a disallowed packet
might be passed because it didn't hit a match in the filter.
STD 5, RFC 791
states: Every Internet module must be able to forward a datagram of 68 octets
without further fragmentation. This is because an Internet header may be up to
60 octets, and the minimum fragment is 8 octets.
http://www.sans.org/security-resources/glossary-of-terms/
Temas relacionados