Configuring TCP fragment attack prevention

About TCP fragment attack prevention

The TCP fragment attack prevention feature detects the length and fragment offset of received TCP fragments and drops attack TCP fragments.

Restrictions and guidelines

TCP fragment attack prevention takes precedence over single-packet attack prevention. When both are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by the single-packet attack defense policy.

Procedure

  1. Enter system view.

    system-view

  2. Enable TCP fragment attack prevention.

    attack-defense tcp fragment enable

    By default, TCP fragment attack prevention is enabled.