Shawn,
Virtual Reassembly is only automatically turned on by NAT. CBAC and IPS require it to fully function against traffic coming in, but you must manually enable it. It would probably be a good idea to account for virtual-reassembly with POD's fragmented packets but it is not required based on the task requirements. A 65,536 byte packet broken into even 1500 byte packets would take 43.7 packets to send it. Based on the suggestion of the question matching the size given and sending it to null0 meets the requirements of the question. But this would always be a good question to ask the proctor. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: <mailto:[email protected]> [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Monday, August 17, 2009 3:30 PM To: [email protected] Subject: [OSL | CCIE_Security] Lab 11 and Ping of death and fragmentation For the proctor guide for Lab 11, the solution for protection against the ping of death is to use PBR and match against icmp packets 201 - 2000 bytes in length. The ping of death is a fragmented packet spanning over many packets. If an attack occurred where the segment size was below 200 bytes, but the total length of the non fragmented packet was greater then 65,536 bytes, this would not get sent to the null interface. If you turn on virtual reassembly, the default setting is to drop any flow where there is more then 16 fragments. So no matter how you fragmented your initial POD packet, Virtual Reassembly would still catch this and drop the fragmented packets. Would this not be the preferred method to protect against POD? I also looked into using IPS on the router, but this also relies on virtual reassembly. So if you do not change the default amount of fragments of 16 packets, the router would end up dropping the reassembled packet even before hitting the IPS code. I do believe the virtual reassembly code gets turned one once you enable IPS, CBAC, or nat as well, but the router in question did not have any of these features turned on. On a side note, Is there many circumstances where a packet would have more then 16 fragments? If I were to setup a router to protect a live web server, and had this feature turned on, would I be blocking any legitimate traffic? Most packets coming from clients should be less then 1500 bytes due to the MTU on the client. Wouldn't most, if not all traffic greater then 1500 bytes be seen as an attack? I understand there are some wan circuits and other circumstances (like vpn) where the MTU would be less then 1500, and packet fragmentation would have to occur, but that should only fragment the packet into 2 or three fragments. Thanks for your help
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
