74 ServerIron ADX Security Guide
53-1002440-03
Enabling ACL filtering of fragmented packets
2
Syntax: [no] ip access-group frag inspect | deny
The inspect | deny parameter specifies whether you want fragments to be sent to the CPU or
dropped:
inspect – This option sends all fragments to the CPU.
deny – This option begin s dropping all fra gments received by the port as so on as you enter th e
command. This option is especially useful if the port is receiving an unusually high rate of
fragments, which can indicate a hacker attack.
Throttling the fragment rate
By default, when you enable CPU filtering of packet fragments, all fragments are sent to the CPU.
Normally, the fragment rate in a typical network does not place enough additional load on the CPU
to adversely affect performance. However, performance can be affected if the device receives a
very high rate of fragments. For example, a misconfigured server or a hacker can affect the
device’s performance by flooding the CPU with fragments.
You can protect against fragment flooding by specifying the maximum number of fragments the
device or an individual interface is allowed to send to the CPU in a one-sec ond int erval. If the de vice
or an interface receives more than the specified number of fragments in a one-second interval, the
device either drops or forwards subsequent fragments in hardware, depending on the action you
specify. In addition, the device starts a holddown timer and continues to either drop or forward
fragments until the holddown time expires.
The device also generates a Syslog message.
To specify the maximum fragment rate per second, enter commands such as the following.
The first command sets the fragment threshold at 15,000 per second, for the entire device. If the
device receives more than 15,000 packet fragments in a one-second interval, the device takes the
specified action. The action specified with this command is to drop the excess fragments and
continue dropping fragments for a holddown time of ten minutes. After the ten minutes have
passed, the device starts sending fragments to the CPU again for processing.
The second command sets the fragment threshold at 5,000 for individual interfaces. If any
interface on the device receives more than 5,000 fragments in a one-second interval, the device
takes the specified action. In this case, the action is to forward the fragments in hardware without
filtering them. The device continues forwarding fragments in hardware for five minutes before
beginning to send fragments to the CPU again.
Both thresholds apply to the entire device. Thus, if an individual interface’s fragment threshold is
exceeded, the drop or forward action and the holddown time apply to all fragments received by the
device.
Syntax: [no] ip access-list frag-rate-on-system <num> exceed-action drop | forward reset-interval
<mins>
and
Syntax: [no] ip access-list frag-rate-on-interface <num> exceed-action drop | forward reset-interval
<mins>
ServerIronADX(config)# ip access-list frag-rate-on-system 15000 exceed-action
drop reset-interval 10
ServerIronADX(config)#ip access-list frag-rate-on-interface 5000 exceed-action
forward reset-interval 5