Enabling TCP fragment attack protection
TCP fragment attack protection enables the device to drop attack TCP fragments to prevent TCP fragment attacks that packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the following TCP fragments:
First fragments in which the TCP header is smaller than 20 bytes.
Non-first fragments with a fragment offset of 8 bytes (FO=1).
To enable TCP fragment attack protection:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enable TCP fragment attack protection. | attack-defense tcp fragment enable | By default, TCP fragment attack protection is enabled. |