Configuring TCP fragment attack prevention
The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.
To configure TCP fragment attack prevention:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable TCP fragment attack prevention. | attack-defense tcp fragment enable | By default, TCP fragment attack prevention is enabled. TCP fragment attack prevention is typically used alone. |