Overlap fragment on 3845 Router

juda.barnes · ‎06-26-2011

I am looking for example of ACL to deny overlap fragments,

i have 3 messages on a router 3845 , follow cisco documentation it might be an attack on a host

the recommandation was to create an ACL to deny overlap,

Can someone please put an example of such ACL, many thanks

.Jun 25 07:35:49.097: %IP_VFR-3-OVERLAP_FRAGMENTS: GigabitEthernet0/0: from the host 183.216.33.100 destined to xx.xx.205.102

.Jun 25 07:35:49.101: %IP_VFR-3-OVERLAP_FRAGMENTS: GigabitEthernet0/0: from the host 183.216.33.100 destined to xx.xx.205.102

.Jun 25 07:36:29.566: %IP_VFR-3-OVERLAP_FRAGMENTS: GigabitEthernet0/0: from the host 183.216.33.100 destined to xx.xx.205.102

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&index=all&locale=en&query=%25IP_VFR-3-OVERLAP_FRAGMENTS&counter=0&paging=5&links=reference&sa=Submit

skarthic · ‎06-27-2011

If you think that this traffic coming from 183.216.33.100 is an invalid one, you can configure an ACL denying fragments from that particular source.

ACL could be like

access-list deny tcp host 183.216.33.100 host fragments

access-list permit ip any any

This is going deny only fragmented packets from the particular source.

Regards,

Subramaniya Karthic.R

Rozsa Illes · ‎06-27-2011

Hi,

If you want to deny non-initial fragments via ACL from the above host, you can use:

access-list 101 deny tcp host 183.216.33.100 any fragments

A bit more information via this link:

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html#wp1046701

At the same time, you might want to check if the fragmentation could happen due to incorrect MSS value set and try to lower it via: "ip tcp adjust-mss".

Warm Regards,

Rose

paolo bevilacqua · ‎06-28-2011

With only three messages, I would not worry and do not do anything but monitor.