Deny ACL line with L3 information only, and the fragments keyword is present
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment
offset is checked.
If a packet's FO > 0, the packet is denied.
If a packet's FO = 0, the next ACL line is processed.
The indirect method relies on the observation that when a TCP
packet is fragmented so as to force "interesting" header fields
out of the zero-offset fragment, there must exist a fragment with
FO equal to 1.
This is normally true where the fragments are genuine fragments,
generally by bona fide software, but it is simply not true that a
hacker forging fragments is forced to produce an FO=1 fragment simply
because (s)he has produced an 8-byte FO=0 fragment . The
vulnerability flows from this false premise.