Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security dos ip-fragmentation-protection

IP Packet fragmentation assures that IP data grams can flow through any other type of network. It allows data grams created as a single packet to be split into many smaller packets for transmission and reassembled at a receiving host. A DDoS attack can deny services to the network by creating a fragmented data gram of a large enough size to overrun the buffers in your router.

The attack purpose is to consume the system memory and network bandwidth in the shortest possible time. We can limit the maximum usage of memory in each socket, the maximum distance counters between fragmentation packages from the same source IP, and the receiving timeout for an entire package.

Syntax

config security dos ip-fragmentation-protection

set max-memory-size <integer>

set min-memory-size <integer>

set time <integer>

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

max-memory-size

ip fragmentation maximum memory size limit(KB)

integer

0-4096

4096

No

min-memory-size

ip fragmentation minimum memory size limit(KB)

integer

0-4096

3072

No

time

fragment package alive time

char

0-256

30

No

Function description

CLI Parameter

Description

max-memory-size

Maximum memory size of the IP fragmentation packet for the vdom. If it reaches this limit, FortiADC will stop doing IP fragmentation reassemble.

min-memory-size

When total IP fragmentation memory size drops to min-memory-size, it will start to do fragmentation reassemble again.

time

Max life time for each fragmentation queue. All the fragmentation packets in the queue will be dropped if the queue exceed this timeout.

Example

configure security dos ip-fragmentation-protection

set max-memory-size 4096

set max-memory-size 3072

set time 30

end

config security dos ip-fragmentation-protection

IP Packet fragmentation assures that IP data grams can flow through any other type of network. It allows data grams created as a single packet to be split into many smaller packets for transmission and reassembled at a receiving host. A DDoS attack can deny services to the network by creating a fragmented data gram of a large enough size to overrun the buffers in your router.

The attack purpose is to consume the system memory and network bandwidth in the shortest possible time. We can limit the maximum usage of memory in each socket, the maximum distance counters between fragmentation packages from the same source IP, and the receiving timeout for an entire package.

Syntax

config security dos ip-fragmentation-protection

set max-memory-size <integer>

set min-memory-size <integer>

set time <integer>

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

max-memory-size

ip fragmentation maximum memory size limit(KB)

integer

0-4096

4096

No

min-memory-size

ip fragmentation minimum memory size limit(KB)

integer

0-4096

3072

No

time

fragment package alive time

char

0-256

30

No

Function description

CLI Parameter

Description

max-memory-size

Maximum memory size of the IP fragmentation packet for the vdom. If it reaches this limit, FortiADC will stop doing IP fragmentation reassemble.

min-memory-size

When total IP fragmentation memory size drops to min-memory-size, it will start to do fragmentation reassemble again.

time

Max life time for each fragmentation queue. All the fragmentation packets in the queue will be dropped if the queue exceed this timeout.

Example

configure security dos ip-fragmentation-protection

set max-memory-size 4096

set max-memory-size 3072

set time 30

end