DNS/FCP/IPv4について、ここに記述してください。 https://en.wikipedia.org/wiki/IPv4#Fragmentation_and_reassembly IP DATAGRAM REASSEMBLY ALGORITHMS https://tools.ietf.org/html/rfc815 Reassembly A receiver knows that a packet is a fragment if at least one of the following conditions is true: The "more fragments" flag is set. (This is true for all fragments except the last.) The "fragment offset" field is nonzero. (This is true for all fragments except the first.) The receiver identifies matching fragments using the foreign and local address, the protocol ID, and the identification field. The receiver reassembles the data from fragments with the same ID using both the fragment offset and the more fragments flag. When the receiver receives the last fragment (which has the "more fragments" flag set to 0), it can calculate the length of the original data payload, by multiplying the last fragment's offset by eight, and adding the last fragment's data size. In the example above, this calculation was 495*8 + 540 = 4500 bytes. When the receiver has all fragments, they can be correctly ordered by using the offsets, and reassembled to yield the original data segment. == Attack == IP fragmentation buffer full The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented packets, a large number of fragments for individual packets or a combination of quantity of incomplete packets and size/number of fragments in each packet. This type of traffic is most likely an attempt to bypass security measures or Intrusion Detection Systems by intentional fragmentation of attack activity. https://tools.ietf.org/html/rfc1858 ---- http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm Rose Fragmentation Attack ========================= The first attack is fairly simple. Send the first few bytes of a fragmented packet at offset 0 (More Fragments Bit = 1) and then send a few bytes at the end of a 64k sized packet (More Fragments Bit = 0). The placement of the last fragment does not have to be at 64k, this is just an attempt to use more memory.