Configuring virtual fragment reassembly, Overview – H3C Technologies H3C SecBlade LB Cards User Manual

206

Configuring virtual fragment reassembly

Overview

To prevent service modules (such as NAT) from processing packet fragments that arrive out of order, you

can enable the virtual fragment reassembly feature. This feature can virtually reassemble the fragments
of a datagram through fragment checking, sequencing and caching so as to make sure fragments arrive

at service modules in order.
The virtual fragment reassembly feature can also detect the following types of fragment attacks, and

discard the attack fragments for security.

•

Tiny fragment attack: If the first fragment of a datagram is very small and the transport layer

protocol (such as TCP and UDP) header is in the second fragment, a tiny fragment attack is
considered.

•

Overlapping fragment attack: If two consecutive incoming fragments are identical or overlapping,
an overlapping fragment attack is considered.

•

Fragment-flood attack: If the maximum number of fragments per datagram or the maximum number
of fragment queues on the device is reached, a fragment-flood attack is considered.

NOTE:

The virtual fragment reassembly feature does not support load sharing, and the fragments of an IP packet
from different security zones cannot be reassembled.

Configuring virtual fragment reassembly in the
Web interface

Configuring virtual fragment reassembly

1.

From the navigation tree, select Security > Virtual Reassembly.

Figure 97 Virtual fragment reassembly configuration page