IP Packet

Also from version 5.1 the PIX check two additional security check on IP packet in addition to the security check Recommended by RF 1858 against the many IP fragment-style attacks: teardrop, tiny, land, and so on.

The first security check requires that each non-initial IP fragment (all fragments within a fragment set. except the initial fragment) be associated with an already-seen valid initial IP fragment (First fragment within a fragment set, this fragment should have a layer 4 header and should have an offset of zero). As of PIX OS version 5.1, an initial fragment is not required. This is because fragments may arrive out of order. For the second security check, IP fragments are rated 100 full IP fragmented packets per second to each internal host.

Also VFR is responsible to detecting and preventing Tiny fragment attack, Overlapping fragment attack and Buffer overflow attack in Cisco IOS feature set but there are some restriction that you can see the following :

Performance Impact :

VFR will cause a performance impact on the basis of functions such as packet copying, fragment validation, and fragment reorder. This performance impact will vary depending on the number of concurrent IP datagram that are being reassembled.

VFR Configuration Restriction:

VFR should not be enabled on a router that is placed on an asymmetric path. The reassembly process requires all of the fragments within an IP datagram. Routers placed in the asymmetric path may not receive all of the fragments, so the fragment reassembly will fail.

SIP and RTSP Limitation:

The Session Initiation Protocol (SIP) and the Real-Time Streaming Protocol (RTSP) do not have the ability to parse port information across noncontiguous buffers. Thus, virtual fragmentation reassembly may fail. (If the application fails, the session will be blocked.)