Configuring TCP fragment attack prevention

The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.

TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.

To configure TCP fragment attack prevention:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable TCP fragment attack prevention.	attack-defense tcp fragment enable	By default, TCP fragment attack prevention is enabled. TCP fragment attack prevention is typically used alone.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable TCP fragment attack prevention.

attack-defense tcp fragment enable

By default, TCP fragment attack prevention is enabled.

TCP fragment attack prevention is typically used alone.

prev	up	next
Enabling log non-aggregation for single-packet attack events	home	Configuring the IP blacklist feature