11-28-2005 04:15 AM - edited 03-09-2019 01:10 PM
Hi,
I'd like to check on the "fragment chain" command and when is it recommended to be used?
I know that using "fragment chain 1" for example will make my PIX drop any fragmented packets that arrive to the PIX interface, and this is a feature that helps me against DoS attacks. But how can I make a judgment on the number of fragments that I should accept on my environment and how can this affect my applications? Any advice please?
Thanks,
Haitham
11-28-2005 11:34 AM
Hi Haitham,
The fragmentation chain is set to 12 as a default. That would allow for a 16k token ring frame to be fragmented into 1500 byte pieces to be correctly processed by the PIX.
Token Ring <--> Router <--> Serial Interface (768 mtu)
In practice, the default is excessive. Although fragmentation is a normal part of IP, it is however, "uncommon". Unless you routinely communicate with remote sights that use token ring, fddi or atm (or maybe x.25), a chain of 2-4 is safer.
If after changing the chain value you cannot communicate with sites you could previously reach,onitor your syslog for the message below and increase chain value as necessary.
209005 Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:
src = IP_address, dest = IP_address, proto = protocol, id = number
Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.
Regards,
Dave
11-28-2005 07:51 PM
Hi Dave,
It seems youre here talking about the sysopt security fagguard command, while I meant the fragment chain 1
To be honest, Im a bit confused b/ the 2 commands and how, when applying them on the same time, the PIX will react (i.e. will it allow 12 fragments, 24 or 100) is the fragment chain command a complimentary where I can control the number of chains to permit through my PIX FW?
Thanks,
Haitham
12-04-2005 01:27 PM
Hi,
The default changed from 12 to 24 in version 6.2.
sysopt security fraggaurd enables fragmentation inspection. The fragment size and fragment chain commands modify the bhavior of fragmentation inspection.
Regards,
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide