Ataque
consistente en fragmentar los paquetes TCP en partes IP tan pequeñas como para
dividir la cabecera y engañar a los filtros que analizan la información en la
cabecera para tomar decisiones respecto de los paquetes TCP.
With many IP implementations
it is possible to impose an unusually small fragment size on outgoing packets.
If the fragment size is made small enough to force some of a TCP packet's TCP
header fields into the second fragment, filter rules that specify patterns for
those fields will not match. If the filtering implementation does not enforce a
minimum fragment size, a disallowed packet might be passed because it didn't
hit a match in the filter.
STD 5, RFC 791 states: Every
Internet module must be able to forward a datagram of 68 octets without further
fragmentation. This is because an Internet header may be up to 60 octets, and
the minimum fragment is 8 octets.
http://www.sans.org/security-resources/glossary-of-terms/