Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
2
Helpful
3
Replies

Using Fragmentation Guard

haithamnofal
Level 3
Level 3

‎11-28-2005 04:15 AM - edited ‎03-09-2019 01:10 PM

Hi,

I'd like to check on the "fragment chain" command and when is it recommended to be used?

I know that using "fragment chain 1" for example will make my PIX drop any fragmented packets that arrive to the PIX interface, and this is a feature that helps me against DoS attacks. But how can I make a judgment on the number of fragments that I should accept on my environment and how can this affect my applications? Any advice please?

Thanks,

Haitham

Labels:
0 Helpful
3 Replies 3

ciscopixguy
Level 1
Level 1

‎11-28-2005 11:34 AM

Hi Haitham,

The fragmentation chain is set to 12 as a default. That would allow for a 16k token ring frame to be fragmented into 1500 byte pieces to be correctly processed by the PIX.

Token Ring <--> Router <--> Serial Interface (768 mtu)

In practice, the default is excessive. Although fragmentation is a normal part of IP, it is however, "uncommon". Unless you routinely communicate with remote sights that use token ring, fddi or atm (or maybe x.25), a chain of 2-4 is safer.

If after changing the chain value you cannot communicate with sites you could previously reach,onitor your syslog for the message below and increase chain value as necessary.

209005 Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:

src = IP_address, dest = IP_address, proto = protocol, id = number

Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.

Regards,

Dave

haithamnofal
Level 3
Level 3
In response to ciscopixguy

‎11-28-2005 07:51 PM

Hi Dave,

It seems you’re here talking about the “sysopt security fagguard” command, while I meant the “fragment chain 1 ” command which allows 24 fragments by default and not 12. Please refer to http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1029667 for details about the “fragment chain 1 ” command. Confusingly, I also read in the Cisco PIX Exam Cram guide that the guard allows 100 fragments per internal destination host per second

To be honest, I’m a bit confused b/ the 2 commands and how, when applying them on the same time, the PIX will react (i.e. will it allow 12 fragments, 24 or 100)… is the fragment chain command a complimentary where I can control the number of chains to permit through my PIX FW?

Thanks,

Haitham

0 Helpful

ciscopixguy
Level 1
Level 1
In response to haithamnofal

‎12-04-2005 01:27 PM

Hi,

The default changed from 12 to 24 in version 6.2.

sysopt security fraggaurd enables fragmentation inspection. The fragment size and fragment chain commands modify the bhavior of fragmentation inspection.

Regards,

Dave

0 Helpful
Customers Also Viewed These Support Documents