R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

Virtual fragment reassembly

NOTE:

The firewall supports configuring virtual fragment reassembly only in the web interface.

Virtual fragment reassembly overview

To prevent each service module (such as IPSec, NAT and firewall) from processing packet fragments that

do not arrive in order, you can enable the virtual fragment reassembly feature, which can virtually

reassemble the fragments of a datagram through fragment check, sequencing and caching, ensuring

fragments arriving at each service module is in order.

The virtual fragment reassembly feature can detect the following types of fragment attacks, and discard

the fragments for security.

• Tiny fragment attack: The fact that the first fragment of a datagram is very small and the Layer 4

(such as TCP and UDP) header is placed into the second fragment is considered a tiny fragment

attack.

• Overlapping fragment attack: The fact that two consecutive incoming fragments are identical is

considered an overlapping fragment attack.

• Fragment-flood attack: The fact that the maximum number of concurrent reassemblies or maximum

number of fragments per datagram is reached is considered a fragment-flood attack.

Configuring virtual fragment reassembly

Select Firewall > Session Table > Advanced from the navigation tree to enter the virtual fragment

reassembly configuration page, as shown in Figure 61.