< Home

Configuring IP Fragment Attack Defense

An attacker sends fragments to control illegitimate packets. As a result, after receiving the packets, target hosts become faulty, fail to process packets normally, or even crash.

Context

The DF and MF flag bits in the headers of IP packets are used to control fragments. Attackers send fragments to control illegal packets. As a result, after receiving the packets, the victim hosts become faulty, fail to process packets normally, or even crash.

After IP fragment attack defense is enabled, the FW discards the packets and logs attacks in either of the following cases:
  • The DF and MF flag bits are both 1.
  • The DF is 1 and the fragment offset exceeds 0 bytes.
  • The DF bit is 0 and the total length of the fragment offset field and the length field exceeds 65535 bytes.

Procedure

  1. In the user view, access the system view.

    system-view

  2. Enable IP fragment attack defense.

    firewall defend ip-fragment enable

Parent Topic: Configuring Single-Packet Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >