An attacker sends error packet fragments to a switch to consume a large number of CPU resources of the switch.
Fragment attacks are classified into the following types:
Excess-fragment attack
Oversize offset attack
Repeated fragment attack
Teardrop attack
Syndrop attack
To protect switches against breakdowns caused by fragment attacks and to ensure non-stop network services, configure defense against fragment attacks. Switches enabled with this defense function can limit the rate of fragmented packets to ensure that CPUs run properly when fragment attacks are launched.
Enable defense against fragment attacks. By default, this function is enabled.
<HUAWEI> system-view [HUAWEI] anti-attack fragment enable [HUAWEI] anti-attack fragment car cir 8000 //Limit the rate of receiving fragments. By default, this rate is 155,000,000 bit/s.