fragment-flood enable

Function

The fragment-flood enable command enables defense against fragmented packet attacks.

The undo fragment-flood enable command disables defense against fragmented packet attacks.

By default, defense against fragmented packet attacks is enabled.

Format

fragment-flood enable

undo fragment-flood enable

Parameters

None

Views

Attack defense policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
device-mgr write

Usage Guidelines

Usage Scenario

Common fragmented packet attacks include:

  • Attacks of a large number of fragmented packets: A large number of fragmented packets are sent to the Device for reassembly, causing a high CPU usage of the Device.
  • Attacks of packet fragments with great offset values: An attacker sends a large number of fragmented packets with the total offset being greater than 65515, which causes the CPU usage for packet reassembly to be high, and as a result, network services are interrupted.
  • Attacks of repetitive fragmented packets: The same fragmented packets are sent at least twice.
  • Attacks of a large number of malformed fragmented packets, including Tear Drop, syndrop, nesta, fawx, bonk, NewTear, Rose, Ping of death, and Jolt attacks.

In VS mode, this command is supported only by the admin VS.

Example

# Enable defense against fragmented packet attacks in attack defense policy 6.
<HUAWEI> system-view
[~HUAWEI] cpu-defend policy 6
[*HUAWEI-cpu-defend-policy-6] fragment-flood  enable
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >