Hi Brandon, Awesome and thank you very much
Regards Anantha Subramanian Natarajan On Fri, Mar 5, 2010 at 1:54 AM, Brandon Carroll <[email protected]>wrote: > By default the ASA allows 24 fragments per IP packet and can have a total > of 200 fragments waiting to be reassembled. > > In other words I can take 1 large packet and chop it up into 24 fragments > and the ASA will reassemble it. If you chop it up into 25 fragments you > cant (by default). Now lets say that I have 3 packets that are all being > chopped up. Lets say that the first packet has 4 of 24 fragments in the DB > waiting on the rest. Lets say that the next has 20 of 24 and the next has 7 > of 13. This means that the total in the database is 31 fragments of a > possible total of 200. If I were to generate an attack where I create fake > fragments like say fragments 1 thru 20 of a 24 fragment chain then it would > take 5 packets to fill the database. When the database Is full the timeout > value would eventually age out the fake fragments and the database would be > able to handle real fragments again. 200 packets is not much for the ASA to > store and wait on until the timeout value. However, if I had 20000 > fragments in the database then the ASA could potentially be using way too > much resources to service the fake fragments and not enough for other > critical processes. > > -- > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > ------------------------------ > *From: *Anantha Subramanian Natarajan <[email protected]> > *Date: *Thu, 4 Mar 2010 21:21:02 -0600 > *To: *Cisco certification <[email protected]>, < > [email protected]> > *Subject: *[OSL | CCIE_Security] Fragment ASA > > Hi All, > > Was going through the ASA command reference for the fragment command,it > states that by setting the fragment size limit to a large value can make the > ASA more vulnerable to a DOS attack by fragment flooding.Couldn't able to > understand that statement,would really appreciate for clarification on that. > > Thanks > > Regards > Anantha Subramanian Natarajan > > ------------------------------ > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
