GEN:SID 1:522
Message MISC Tiny Fragments
Summary This event is generated when an IPv4 fragment of dubiously small nature
was detected.
Impact Many IDSes are known to have issues regarding the reassembly of IP
fragments, and could miss an attack carried over such means.  Firewalls
suffer from the same issues, and can be tricked into allowing packets
through that should normally be rejected.  Furthermore, there is a small
history of OS issues related to unorthodox fragmentation.
Detailed Information IPv4 manages to adapt to various link layer protocols on a route via the
fragmentation mechanism outlined in its RFC.  A router connecting two
carrying media of varying MTU (Maximum Transmission Unit) can fragment
packets of size too large to transmit on one wire before dispatch.  When
datagrams stay within one MTU, the maximum packet sizes possible can be
used without fragmentation, thus pairing flexibility with efficiency.

Historically, handling of fragmentation has been less than stellar in
both IP stacks and the IDS systems designed to protect them.  While the
limited number of attacks based on fragmentation are easily picked up by
anomaly- or signature-based system, IDSes which fail to properly
reassemble fragments can miss any attack which is so fragmented.
Firewalls have often proved susceptible to fragmented TCP or UDP
headers, allowing traffic which should have been filtered to pass
through.
Affected Systems Any IDS/firewall lacking proper IPv4 fragment reassembly.
Attack Scenarios An attacker may pass a fragment containing a TCP/UDP header which is
allowed to pass through a firewall, then follow this up with a fragment
which overwrites the previous headers, but is allowed due to poor
connection tracking.

An attacker may fragment an exploit, so that it is not detected by IPS
nor filtered by IPS products.
Ease of Attack Tools have been written to trivially fragment traffic; Dug Song's
fragrouter program is a well-known example.
Corrective Action None
Additional References IPv4 RFC:
http://www.faqs.org/rfcs/rfc791.html