On Mon, 20 Oct 1997, Chris A. Icide wrote:
Date: Mon, 20 Oct 1997 07:36:47 -0500 From: "Chris A. Icide" <chris@nap.net> To: jamie@intuition.iagnet.net, Doug Davis <dougd@airmail.net> Cc: nanog@merit.edu, security@uu.net, help@uu.net, noc@airmail.net Subject: Re: Getting PING bombed...
If I remember right, and I think I do, Cisco filtes will not reconstruct a fragment if it's not addressed to the router (why would you want to do such a thing, especially if the rest of the path is MTU limited?). Because of this lack of reconstruction, the router only stops the initial fragment, and allows the rest to pass. A while back we did some testing on this with some folks from abs.net (they supplied the victim), and it was still a problem in the 11.1.8 revision of code for the 7500 series.
I also opened a case with Cisco back in Feb about this issue, and demonstrated the problem to them. Ciscos DEs reopened up bug CSCdj00711, and eventually integrated the fix into 11.1(10.2)AA on 4/3 97, and into 10.3(18) 10.0(14.4), 11.1(10.2) and 11.2(5.1) by 4/22.
Here is a response I got from a Cisco technical type a while back:
By design, non-initial fragments are not filtered as the transport layer (TCP/UDP) information is only available in the initial fragment and ACLs can contain entries that filter based on this. Filtering the initial fragment provides security as the receiving station will time out after not receiving the initial fragment and flush the rest. But, it is still prone to denial of service attacks...
I find it interesting that they're claiming here its only a denial of service problem. I'll stop here... :) <snip> -Golan