By default the ASA allows 24 fragments per IP packet and can have a total of 200 fragments waiting to be reassembled.
In other words I can take 1 large packet and chop it up into 24 fragments and the ASA will reassemble it. If you chop it up into 25 fragments you cant (by default). Now lets say that I have 3 packets that are all being chopped up. Lets say that the first packet has 4 of 24 fragments in the DB waiting on the rest. Lets say that the next has 20 of 24 and the next has 7 of 13. This means that the total in the database is 31 fragments of a possible total of 200. If I were to generate an attack where I create fake fragments like say fragments 1 thru 20 of a 24 fragment chain then it would take 5 packets to fill the database. When the database Is full the timeout value would eventually age out the fake fragments and the database would be able to handle real fragments again. 200 packets is not much for the ASA to store and wait on until the timeout value. However, if I had 20000 fragments in the database then the ASA could potentially be using way too much resources to service the fake fragments and not enough for other critical processes. -- Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com. From: Anantha Subramanian Natarajan <[email protected]> Date: Thu, 4 Mar 2010 21:21:02 -0600 To: Cisco certification <[email protected]>, <[email protected]> Subject: [OSL | CCIE_Security] Fragment ASA Hi All, Was going through the ASA command reference for the fragment command,it states that by setting the fragment size limit to a large value can make the ASA more vulnerable to a DOS attack by fragment flooding.Couldn't able to understand that statement,would really appreciate for clarification on that. Thanks Regards Anantha Subramanian Natarajan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
