CBAC inspection rules can help protect hosts against certain DoS
attacks involving fragmented IP packets. Even though the firewall keeps an
attacker from making actual connections to a given host, the attacker may still
be able to disrupt services provided by that host.
Recall that sometimes
packets are fragmented for transmission. The initial packet is flagged for
identification, and the remaining fragmented packets are flagged according to
their original order. If an initial packet is filtered by an ACL, then the
other associated packets will be dropped.
Problems may arise when some of
the non-initial packets show up at the receiving interface before their initial
packet. These fragments must be queued until the initial packet arrives and
things can get sorted out. It is possible to mount a DoS attack by sending many
non-initial IP fragments, or by sending complete fragmented packets through a
router with an ACL that filters the first fragment of a fragmented packet.
These fragments can tie up resources on the target host as it tries to
reassemble the incomplete packets.
Using fragmentation inspection, the
firewall maintains an interfragment state, or structure, for IP traffic.
Non-initial fragments are discarded unless the corresponding initial fragment
was permitted to pass through the firewall. Non-initial fragments received
before the corresponding initial fragments are discarded.
Because routers running Cisco IOS software are used in a large variety of
networks, and because the CBAC feature is often used to isolate parts of
internal networks from one another, the fragmentation inspection feature is not
enabled by default. Fragmentation detection must be explicitly enabled for
inspection rules using the ip inspect name global command.
Unfragmented traffic is never discarded because it lacks a fragment state. Even
when the system is under heavy attack with fragmented packets, legitimate
fragmented traffic, if any, will still get some fraction of the fragment state
resources of the firewall, and legitimate, unfragmented traffic can flow
through the firewall unimpeded.
The syntax of the ip inspect
name command for IP packet fragmentation is shown in Figure
.