ip-tiny-frag
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
721
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide
IP-TINY-FRAG
ip-tiny-frag [{max-frag-num|min-frag-size} <1-4294967295>]
DESCRIPTION
This command is entered in the Firewall-Attack Sub Configuration Mode.
If the fragment size is made small enough to force some of a TCP packet's TCP
header fields into the second fragment, filter rules that specify patterns for those
fields will not match. If the filtering implementation does not enforce a minimum
fragment size, a disallowed packet might be passed because it didn't hit a match
in the filter. This can be avoided by including the above command with a specified
minimum fragment size in the user-defined attack prevention list or by just using
the “default” keyword.
PARAMETERS
DEFAULT VALUE
• By default, the maximum number of fragments allowed in the IP packet, is 50.
• By default, the minimum size allowed in the IP fragment, is 64 bytes.
EXAMPLE
ALU(config-firewall-attack-A1)# ip-tiny-frag min-frag-size 10
Parameter Description
max-frag-num <1-4294967295> Denotes the number of the maximum
fragments allowed in the IP packet.
min-frag-size <1-4294967295> Denotes the number of minimum size of
the IP fragment. When DoS detects a
fragment smaller than this size, it will
drop the packet.
To Next Page
Loading...
