The Fragmented Packet Sources sensor looks for sources of packet fragmentation. Packet fragmentation may indicate poor application delivery or "frag attacks" that can circumvent Access Control Lists (ACLs) and stateless firewalls.
Troubleshooting a Fragmented Packet Sources Alert
An alert from the Fragmented Packet Sources sensor may indicate one of the following issues:
Check the MTU settings on the affected interfaces. Interfaces on the same router can have different MTU settings. Any IP packets that exceed the configured maximum number of bytes are broken into fragments. Stateless firewalls in particular often drop packet fragments.
Packets can be fragmented normally by routers if the packets exceed the MTU size on a router interface. In this case, a flag is set in the IP header to indicate that the segment is a fragment. The packets continue until the end of fragment (EOF) flag is set. In a frag attack, fragmented packets are sent in a steady stream, but a packet with the EOF flag set is never sent. The packets eventually fill the receive buffer on the target host and disable it.
If you suspect a frag attack, identify and block the offending host from sending data on the network by using a firewall or ACL.
Fragmented packets may indicate that an attacker is probing the host for system credentials, such as operating system level and known vulnerabilities.
Identify and block the offending host from sending data on the network by using a firewall or ACL.
Even though a host who communicates with another host across a VPN tunnel is a legitimate source for fragmented packets, the host is still a source of increased packet load. Adjusting the MTU on the host with the VPN client can help.
CA Anomaly Detector currently cannot actually identify the sources of packet fragmentation. The software can identify only the original source of the IP packet. Any Layer 3 device along the path may be the source of the actual act of fragmenting the packet.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|