Default: Check8 – compare 8 random locations, a total of 32 bytes
Failed Fragment Reassembly
Reassemblies may fail due to one of the following causes:
•
Some of the fragments did not arrive within the time stipulated by the ReassTimeout or
ReassTimeLimit settings. This may mean that one or more fragments were lost on their way
across the Internet, which is a quite common occurrence.
•
NetDefendOS was forced to interrupt the reassembly procedure due to new fragmented packets
arriving and the system temporarily running out of resources. In situations such as these, old
reassembly attempts are either discarded or marked as "failed".
•
An attacker has attempted to send an incorrectly fragmented packet.
Under normal circumstances, you would not want to log failures as they occur frequently. However,
it may be useful to log failures involving "suspect" fragments. Such failures may arise if, for
example, the IllegalFrags setting has been set to Drop rather than DropPacket.
The following settings are available for FragReassemblyFail:
•
NoLog - No logging is done when a reassembly attempt fails.
•
LogSuspect - Logs failed reassembly attempts only if "suspect" fragments have been involved.
•
LogSuspectSubseq - As LogSuspect, but also logs subsequent fragments of the packet as and
when they arrive
•
LogAll - Logs all failed reassembly attempts.
•
LogAllSubseq - As LogAll, but also logs subsequent fragments of the packet as and when they
arrive.
Default: LogSuspectSubseq
Dropped Fragments
If a packet is denied entry to the system as the result of the settings in the Rules section, it may also
be worth logging individual fragments of that packet. The DroppedFrags setting specifies how
NetDefendOS will act. Possible settings for this rule are as follows:
•
NoLog – No logging is carried out over and above that which is stipulated in the rule set.
•
LogSuspect - Logs individual dropped fragments of reassembly attempts affected by "suspect"
fragments.
•
LogAll - Always logs individual dropped fragments.
Default: LogSuspect
Duplicate Fragments
If the same fragment arrives more than once, this can mean either that it has been duplicated at some
point on its journey to the recipient or that an attacker is trying to disrupt the reassembly of the
packet. DuplicateFrags determines whether such a fragment should be logged. Note that
DuplicateFragData can also cause such fragments to be logged if the data contained in them does
not match up. Possible settings are as follows:
13.7. Fragmentation Settings
Chapter 13. Advanced Settings
444
Summary of Contents for 800 - DFL 800 - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...