config security dos ip-fragmentation-protection
IP Packet fragmentation assures that IP data grams can flow through any other type of network. It allows data grams created as a single packet to be split into many smaller packets for transmission and reassembled at a receiving host. A DDoS attack can deny services to the network by creating a fragmented data gram of a large enough size to overrun the buffers in your router.
The attack purpose is to consume the system memory and network bandwidth in the shortest possible time. We can limit the maximum usage of memory in each socket, the maximum distance counters between fragmentation packages from the same source IP, and the receiving timeout for an entire package.
Syntax
config security dos ip-fragmentation-protection
set max-memory-size <integer>
set min-memory-size <integer>
set time <integer>
end
CLI specification
|
CLI Parameter |
Help message |
Type |
Scope |
Default |
Must |
|---|---|---|---|---|---|
|
max-memory-size |
ip fragmentation maximum memory size limit(KB) |
integer |
0-4096 |
4096 |
No |
|
min-memory-size |
ip fragmentation minimum memory size limit(KB) |
integer |
0-4096 |
3072 |
No |
|
time |
fragment package alive time |
char |
0-256 |
30 |
No |
Function description
|
CLI Parameter |
Description |
|---|---|
|
max-memory-size |
Maximum memory size of the IP fragmentation packet for the vdom. If it reaches this limit, FortiADC will stop doing IP fragmentation reassemble. |
|
min-memory-size |
When total IP fragmentation memory size drops to min-memory-size, it will start to do fragmentation reassemble again. |
|
time |
Max life time for each fragmentation queue. All the fragmentation packets in the queue will be dropped if the queue exceed this timeout. |
Example
configure security dos ip-fragmentation-protection
set max-memory-size 4096
set max-memory-size 3072
set time 30
end