Fragmentation Settings - D-Link NetDefend DFL-210 User Manual

13.8. Fragmentation Settings

13.8. Fragmentation Settings
IP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannot
carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate
packets, each one given their own IP header and information that will help the recipient reassemble
the original packet correctly.
However, many IP stacks are unable to handle incorrectly fragmented packets, a fact that can be ex-
ploited by intruders to crash such systems. NetDefendOS provides protection against fragmentation
attacks in a number of ways.
PseudoReass_MaxConcurrent
Maximum number of concurrent fragment reassemblies. To drop all fragmented packets, set Pseu-
doReass_MaxConcurrent to 0.
Default: 1024
IllegalFrags
Determines how NetDefendOS will handle incorrectly constructed fragments. The term "incorrectly
constructed" refers to overlapping fragments, duplicate fragments with different data, incorrect frag-
ment sizes, etc. Possible settings include:
• Drop – Discards the illegal fragment without logging it. Also remembers that the packet that is
being reassembled is "suspect", which can be used for logging further down the track.
• DropLog – Discards and logs the illegal fragment. Also remembers that the packet that is being
reassembled is "suspect", which can be used for logging further down the track.
• DropPacket – Discards the illegal fragment and all previously stored fragments. Will not allow
further fragments of this packet to pass through during ReassIllegalLinger seconds.
• DropLogPacket – As DropPacket, but also logs the event.
• DropLogAll – As DropLogPacket, but also logs further fragments belonging to this packet that
arrive during ReassIllegalLinger seconds.
The choice of whether to discard individual fragments or disallow the entire packet is governed by
two factors:
• It is safer to discard the whole packet.
• If, as the result of receiving an illegal fragment, you choose to discard the whole packet, attack-
ers will be able to disrupt communication by sending illegal fragments during a reassembly, and
in this way block almost all communication.
Default: DropLog – discards individual fragments and remembers that the reassembly attempt is
"suspect".
DuplicateFragData
If the same fragment arrives more than once, this can mean either that it has been duplicated at some
point on its journey to the recipient or that an attacker is trying to disrupt the reassembly of the
packet. In order to determine which is more likely, NetDefendOS compares the data components of
the fragment. The comparison can be made in 2 to 512 random locations in the fragment, four bytes
of each location being sampled. If the comparison is made in a larger number of samples, it is more
likely to find mismatching duplicates. However, more comparisons result in higher CPU load.
257
Chapter 13. Advanced Settings