Attack Behavior
An attacker sends error packet fragments to a switch to consume a large number of CPU resources of the switch.
Fragment attacks are classified into the following types:
-
Excess-fragment attack
-
Oversize offset attack
-
Repeated fragment attack
-
Teardrop attack
-
Syndrop attack
- Newtear attack
- Bonk attack
- Nesta attack
- Rose attack
- Fawx attack
- Ping of death attack
- Jolt attack
Security Policy
To protect switches against breakdowns caused by fragment attacks and to ensure non-stop network services, configure defense against fragment attacks. Switches enabled with this defense function can limit the rate of fragmented packets to ensure that CPUs run properly when fragment attacks are launched.
Configuration Method
Enable defense against fragment attacks. By default, this function is enabled.
<HUAWEI> system-view [HUAWEI] anti-attack fragment enable [HUAWEI] anti-attack fragment car cir 8000 //Limit the rate of receiving fragments. By default, this rate is 155,000,000 bit/s.
