Configuring the Fragment Size
Unicast RPF is implemented as follows:
•
•
To enable Unicast RPF, enter the following command:
hostname(config)# ip verify reverse-path interface interface_name
Configuring the Fragment Size
By default, the security appliance allows up to 24 fragments per IP packet, and up to 200 fragments
awaiting reassembly. You might need to let fragments on your network if you have an application that
routinely fragments packets, such as NFS over UDP. However, if you do not have an application that
fragments traffic, we recommend that you do not allow fragments through the security appliance.
Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following
command:
hostname(config)# fragment chain 1 [interface_name]
Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this
command applies to all interfaces.
Blocking Unwanted Connections
If you know that a host is attempting to attack your network (for example, system log messages show an
attack), then you can block (or shun) connections based on the source IP address and other identifying
parameters. No new connections can be made until you remove the shun.
If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections
Note
automatically.
To shun a connection manually, perform the following steps:
If necessary, view information about the connection by entering the following command:
Step 1
hostname# show conn
The security appliance shows information about each connection, such as the following:
TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
To shun connections from the source IP address, enter the following command:
Step 2
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
If you enter only the source IP address, then all future connections are shunned; existing connections
remain active.
Cisco Security Appliance Command Line Configuration Guide
23-6
ICMP packets have no session, so each packet is checked.
UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent
packets arriving during the session are checked using an existing state maintained as part of the
session. Non-initial packets are checked to ensure they arrived on the same interface used by the
initial packet.
Chapter 23
Preventing Network Attacks
OL-10088-01