Configuring virtual fragment reassembly, Overview – H3C Technologies H3C SecPath F1000-E User Manual
Page 109
99
Configuring virtual fragment reassembly
The virtual fragment reassembly configuration is available only in the Web interface.
Overview
To prevent service modules (such as IPSec, NAT and firewall) from processing packet fragments that
arrive out of order, you can enable the virtual fragment reassembly feature. This feature can virtually
reassemble the fragments of a datagram through fragment checking, sequencing and caching so as to
make sure that fragments arrive at service modules in order.
The virtual fragment reassembly feature can also detect the following types of fragment attacks, and
discard the attack fragments for security.
•
Tiny fragment attack: If the first fragment of a datagram is very small and the transport layer
protocol (such as TCP and UDP) header is in the second fragment, a tiny fragment attack is
considered.
•
Overlapping fragment attack: If two consecutive incoming fragments are identical or overlapping,
an overlapping fragment attack is considered .
•
Fragment-flood attack: If the maximum number of fragments per datagram or the maximum number
of fragment queues on the firewall is reached, a fragment-flood attack is considered.
Configuring virtual fragment reassembly
1.
Select Firewall > Session Table > Advanced from the navigation tree..
Figure 97 Virtual fragment reassembly configuration page
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS