Configure Attack Guards on the PIX Security Appliance
FragGuard and Virtual Reassembly

FragGuard and Virtual Reassembly is a PIX Security Appliance feature that provides IP fragment protection . Virtual reassembly is the process of gathering a set of IP fragments, verifying integrity and completeness, tagging each fragment in the set with the transport header, and not combining the fragments into a full IP packet. Virtual Reassembly provides the benefits of full reassembly by verifying the integrity of each fragment set and tagging it with the transport header. It also minimizes the buffer space that must be reserved for packet reassembly. Full reassembly of packets is expensive in terms of buffer space that must be reserved for collecting and combining the fragments. Since combining of fragments is not performed with virtual reassembly, no preallocation of the buffer is needed.

FragGuard and Virtual Reassembly perform full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the Pix Security Appliance. They use Syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a Teardrop.c attack.

By default, the PIX Security Appliance accepts up to 24 fragments to reconstruct a full IP packet. Based on the network security policy, an administrator should consider configuring the PIX to prevent fragmented packets from traversing the PIX by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be unfragmented.

Note the following regarding fragment configuration:

  • The default values will limit DoS attacks caused by fragment flooding.
  • If an interface is not specified, the command applies to all interfaces.

The fragment command provides management of packet fragmentation and improves the compatibility of the PIX Security Appliance with the Network File System (NFS). NFS is a client-server application that enables a computer user to view and optionally store and update files on a remote computer as though they were on the user’s own computer. In general, the default values of the fragment command should be used . However, if a large percentage of the network traffic through the PIX is NFS, additional tuning may be necessary to avoid database overflow.

The fragment size command can be used to set the maximum number of packets in the fragment database. Use the fragment chain command to specify the maximum number of packets into which a packet can be fragmented, and use the fragment timeout command to specify the maximum number of seconds the PIX Security Appliance waits after the first fragment is received before discarding a fragment waiting for reassembly. The example in Figure uses the fragment size and fragment chain commands to disallow all fragments through the PIX.

In an environment where the maximum transmission unit (MTU) between the NFS server and client is small, such as a WAN interface, the chain option may require additional tuning. In this case, NFS over TCP is highly recommended to improve efficiency.

Setting the database-limit of the size option to a large value can make the PIX Security Appliance more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the PIX 1550 or 16384 memory pool. See the show blocks command for more details.

The show fragment command displays the states of the fragment databases . If the interface name is specified, only the database residing at the specified interface is displayed.

Use the clear fragment command to reset the fragment databases and defaults. This causes the PIX Security Appliance to discard all fragments currently waiting for reassembly, and reset the size, chain, and timeout options to their default values.