As packets traverse different networks, it is sometimes necessary to break a packet into smaller pieces (fragments) based upon the maximum transmission unit (MTU) of each network. IP fragments might contain an attacker's attempt to exploit the vulnerabilities in the packet reassembly code of specific IP stack implementations. When the victim receives these packets, the results can range from processing the packets incorrectly to crashing the entire system. See Figure 139.
Before You Begin |
|---|
For background information, read Suspicious Packet Attributes Overview. |
Figure 139: IP Packet Fragments
When you enable JUNOS Software to deny IP fragments on a security zone, it blocks all IP packet fragments that it receives at interfaces bound to that zone.