Fragmentation Settings - D-Link NetDefendOS User Manual

13.7. Fragmentation Settings

IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot
carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate
packets, each one given their own IP header and information that will help the recipient
reassemble the original packet correctly.
Many IP stacks, however, are unable to handle incorrectly fragmented packets, a fact that can be
exploited by intruders to crash such systems. NetDefendOS provides protection against
fragmentation attacks in a number of ways.
Pseudo Reass Max Concurrent
Maximum number of concurrent fragment reassemblies. To drop all fragmented packets, set
PseudoReass_MaxConcurrent to 0.
Default: 1024
Illegal Fragments
Determines how NetDefendOS will handle incorrectly constructed fragments. The term
"incorrectly constructed" refers to overlapping fragments, duplicate fragments with different
data, incorrect fragment sizes, etc. Possible settings include:
• Drop – Discards the illegal fragment without logging it. Also remembers that the packet that
is being reassembled is "suspect", which can be used for logging further down the track.
• DropLog – Discards and logs the illegal fragment. Also remembers that the packet that is
being reassembled is "suspect", which can be used for logging further down the track.
• DropPacket – Discards the illegal fragment and all previously stored fragments. Will not allow
further fragments of this packet to pass through during ReassIllegalLinger seconds.
• DropLogPacket – As DropPacket, but also logs the event.
• DropLogAll – As DropLogPacket, but also logs further fragments belonging to this packet that
arrive during ReassIllegalLinger seconds.
The choice of whether to discard individual fragments or disallow the entire packet is governed
by two factors:
• It is safer to discard the whole packet.
• If, as the result of receiving an illegal fragment, it is chosen to discard the whole packet,
attackers will be able to disrupt communication by sending illegal fragments during a
reassembly, and in this way block almost all communication.
Default: DropLog – discards individual fragments and remembers that the reassembly attempt is
"suspect".
Duplicated Fragment Data
If the same fragment arrives more than once, this can mean either that it has been duplicated at
some point on its journey to the recipient or that an attacker is trying to disrupt the reassembly
of the packet. In order to determine which is more likely, NetDefendOS compares the data
components of the fragment. The comparison can be made in 2 to 512 random locations in the
fragment, four bytes of each location being sampled. If the comparison is made in a larger
867
Chapter 13: Advanced Settings