IP Virtual Reassembly

A buffer overflow attack can occur when an attacker continuously sends a large number of incomplete IP fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

IP virtual reassembly is an interface feature that when turned on, will automatically reassemble fragmented packets coming into the router through that interface. Cisco recommends that you enable "ip virtual-assembly" on all interfaces where traffic comes into the router.

To enable virtual fragment reassembly (VFR) on an interface, use the ip virtual-reassembly command in interface configuration mode. To disable VFR on an interface, use the no form of this command.

router(config-if)# ip virtual-reassembly [max-reassemblies number] [max-fragments number] [timeout seconds] [dropfragments]

Syntax Description

max-reassemblies number

(Optional) Maximum number of IP datagrams that can be reassembled at any given time. Default value: 16.

If the maximum value is reached, all fragments within the following fragment set will be dropped and an alert message will be logged to the syslog server.

max-fragments number

(Optional) Maximum number of fragments that are allowed per IP datagram (fragment set). Default value: 32.

If an IP datagram that is being reassembled receives more than the maximum allowed fragments, the IP datagram will be dropped and an alert message will be logged to the syslog server.

timeout seconds

(Optional) Timeout value, in seconds, for an IP datagram that is being reassembled. Default value: 3 seconds.

If an IP datagram does not receive all of the fragments within the specified time, the IP datagram (and all of its fragments) will be dropped.

drop-fragments

(Optional) Enables the VFR to drop all fragments that arrive on the configured interface. By default, this function is disabled.

The max-reassemblies number option and the max-fragments number option allow you to configure maximum threshold values to avoid a buffer overflow attack and to control memory usage.

In addition to configuring the maximum threshold values, each IP datagram is associated with a managed timer. If the IP datagram does not receive all of the fragments within the specified time (which can be configured via the timeout seconds option), the timer will expire and the IP datagram (and all of its fragments) will be dropped.

Automatically Enabling or Disabling VFR

VFR is designed to work with any feature that requires fragment reassembly (such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables VFR internally; that is, when NAT is enabled on an interface, VFR is automatically enabled on that interface.

If more than one feature attempts to automatically enable VFR on an interface, VFR will maintain a reference count to keep track of the number of features that have enabled VFR. When the reference count is reduced to zero, VFR is automatically disabled.

© 2007 Cisco Systems, Inc. Adaptive Threat Defense 5-193

Was this article helpful?

+2 0

Post a comment