In some mail from Colin Campbell, sie said:
> My mailer thinks Darrell Fuhriman said:
> > > > ... ip fragmentation attacks,
> > >
> > > Wozzat?
> > Fragment the IP packet so the address are in different packets, as well as
> > the port number. The router can't buffer them, and can't filter
> > them until it knows all the information. So, it lets them through. And
> > since most firewalls only block on the SYN... tada.. open connection.
> So, if I run input filters only, I am susceptible to this attack. Correct?
Possibly. Most vendors/implementations patched this - eventually.
Make sure you understand how it is handled.
> I take it, then, that output filters kill this attack to other hosts but the
> router still susceptible since the packet never makes it to the output
No, if your output filter drops the packet, it becomes an IP spoofing attack
problem (guess the TCP ISS value in the reply you don't see).