For the proctor guide for Lab 11, the solution for protection against the ping of death is to use PBR and match against icmp packets 201 - 2000 bytes in length. The ping of death is a fragmented packet spanning over many packets. If an attack occurred where the segment size was below 200 bytes, but the total length of the non fragmented packet was greater then 65,536 bytes, this would not get sent to the null interface. If you turn on virtual reassembly, the default setting is to drop any flow where there is more then 16 fragments. So no matter how you fragmented your initial POD packet, Virtual Reassembly would still catch this and drop the fragmented packets. Would this not be the preferred method to protect against POD? I also looked into using IPS on the router, but this also relies on virtual reassembly. So if you do not change the default amount of fragments of 16 packets, the router would end up dropping the reassembled packet even before hitting the IPS code. I do believe the virtual reassembly code gets turned one once you enable IPS, CBAC, or nat as well, but the router in question did not have any of these features turned on. On a side note, Is there many circumstances where a packet would have more then 16 fragments? If I were to setup a router to protect a live web server, and had this feature turned on, would I be blocking any legitimate traffic? Most packets coming from clients should be less then 1500 bytes due to the MTU on the client. Wouldn't most, if not all traffic greater then 1500 bytes be seen as an attack? I understand there are some wan circuits and other circumstances (like vpn) where the MTU would be less then 1500, and packet fragmentation would have to occur, but that should only fragment the packet into 2 or three fragments. Thanks for your help
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
