beautypg.com

Fragmentation settings, Pseudoreass_maxconcurrent, Illegalfrags – D-Link DFL-2500 User Manual

Page 320: Duplicatefragdata

background image

13.8. Fragmentation Settings

IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot
carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate
packets, each one given their own IP header and information that will help the recipient reassemble
the original packet correctly.

However, many IP stacks are unable to handle incorrectly fragmented packets, a fact that can be
exploited by intruders to crash such systems. NetDefendOS provides protection against
fragmentation attacks in a number of ways.

PseudoReass_MaxConcurrent

Maximum number of concurrent fragment reassemblies. To drop all fragmented packets, set
PseudoReass_MaxConcurrent to 0.

Default: 1024

IllegalFrags

Determines how NetDefendOS will handle incorrectly constructed fragments. The term "incorrectly
constructed" refers to overlapping fragments, duplicate fragments with different data, incorrect
fragment sizes, etc. Possible settings include:

Drop – Discards the illegal fragment without logging it. Also remembers that the packet that is
being reassembled is "suspect", which can be used for logging further down the track.

DropLog – Discards and logs the illegal fragment. Also remembers that the packet that is being
reassembled is "suspect", which can be used for logging further down the track.

DropPacket – Discards the illegal fragment and all previously stored fragments. Will not allow
further fragments of this packet to pass through during ReassIllegalLinger seconds.

DropLogPacket – As DropPacket, but also logs the event.

DropLogAll – As DropLogPacket, but also logs further fragments belonging to this packet that
arrive during ReassIllegalLinger seconds.

The choice of whether to discard individual fragments or disallow the entire packet is governed by
two factors:

It is safer to discard the whole packet.

If, as the result of receiving an illegal fragment, you choose to discard the whole packet,
attackers will be able to disrupt communication by sending illegal fragments during a
reassembly, and in this way block almost all communication.

Default: DropLog – discards individual fragments and remembers that the reassembly attempt is
"suspect".

DuplicateFragData

If the same fragment arrives more than once, this can mean either that it has been duplicated at some
point on its journey to the recipient or that an attacker is trying to disrupt the reassembly of the
packet. In order to determine which is more likely, NetDefendOS compares the data components of
the fragment. The comparison can be made in 2 to 512 random locations in the fragment, four bytes
of each location being sampled. If the comparison is made in a larger number of samples, it is more
likely to find mismatching duplicates. However, more comparisons result in higher CPU load.

13.8. Fragmentation Settings

Chapter 13. Advanced Settings

320