Fragmentation can pose a security problem. There
was a bug in Windows NT which would crash it if incompatible
(i.e. overlapping) fragments were received. This was used to attack NT
machines in the Pentagon when Gates was addressing
Congress. Generally, a firewall has little option but to pass a
fragment (other than the first, i.e. the one with fragmentation offset
zero), since there is no protocol-related information in later
fragments. If the first fragment has been dropped, then the subsequent
fragments should time out, but the firewall may wish to block the
resulting ICMP error, on the grounds that it conveys information that
should not be revealed.
RFC 815 describes IP fragment re-assembly algorithms. Since the
fragments have to be stored in the memory of the IP layer until the
packet is complete, there are denial-of-service attacks that flood the
target with fragments until the memory is exhausted.