< Home

Configuring Defense Against Packet Fragment Attacks

Context

Packet fragment attacks include attacks from many fragments, attacks from many packets with offsets, attacks from repeated packet fragments, Tear Drop attacks, Syndrop attacks, NewTear attacks, Bonk attacks, Nesta attacks, Rose attacks, Fawx attacks, Ping of Death attacks, and Jolt attacks. If an attacker sends error packet fragments to a device, the device consumes a large number of resources to process the error packet fragments, affecting normal services.

To prevent the system from breaking down and to ensure normal network services, enable defense against packet fragment attacks on the device. The device then limits the rate of fragment packets to ensure that the CPU runs properly when the device is being attacked by many packet fragments.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run anti-attack fragment enable

    Defense against packet fragment attacks is enabled.

    By default, defense against packet fragment attacks is enabled.

    You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including malformed packets.

  3. Run anti-attack fragment car cir cir

    The rate limit of packet fragments is set.

    By default, the rate limit of packet fragments is 155000000 bit/s.

Verifying the Configuration

  • Run the display anti-attack statistics fragment command to check statistics on defense against packet fragment attacks on the device.

Parent Topic: Attack Defense Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >