Cisco Cisco Firepower Management Center 4000
26-11
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Defragmenting IP Packets
Step 6
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Defragmenting IP Packets
License:
Protection
When an IP datagram is broken into two or more smaller IP datagrams because it is larger than the
maximum transmission unit (MTU), it is fragmented. A single IP datagram fragment may not contain
enough information to identify a hidden attack. Attackers may attempt to evade detection by transmitting
attack data in fragmented packets. The IP defragmentation preprocessor reassembles fragmented IP
datagrams before the rules engine executes rules against them so that the rules can more appropriately
identify attacks in those packets. If fragmented datagrams cannot be reassembled, rules do not execute
against them.
maximum transmission unit (MTU), it is fragmented. A single IP datagram fragment may not contain
enough information to identify a hidden attack. Attackers may attempt to evade detection by transmitting
attack data in fragmented packets. The IP defragmentation preprocessor reassembles fragmented IP
datagrams before the rules engine executes rules against them so that the rules can more appropriately
identify attacks in those packets. If fragmented datagrams cannot be reassembled, rules do not execute
against them.
Note that you must enable IP defragmentation preprocessor rules, which have a generator ID (GID) of
123, if you want these rules to generate events. A link on the configuration page takes you to a filtered
view of IP defragmentation preprocessor rules on the intrusion policy Rules page, where you can enable
and disable rules and configure other rule actions. See
123, if you want these rules to generate events. A link on the configuration page takes you to a filtered
view of IP defragmentation preprocessor rules on the intrusion policy Rules page, where you can enable
and disable rules and configure other rule actions. See
information.
See the following sections for more information:
•
•
•
•
Understanding IP Fragmentation Exploits
License:
Protection
Enabling IP defragmentation helps you detect attacks against hosts on your network, like the teardrop
attack, and resource consumption attacks against the system itself, like the Jolt2 attack.
attack, and resource consumption attacks against the system itself, like the Jolt2 attack.
The Teardrop attack exploits a bug in certain operating systems that causes them to crash when trying to
reassemble overlapping IP fragments. When enabled and configured to do so, the IP defragmentation
preprocessor identifies the overlapping fragments. The IP defragmentation preprocessor detects the first
packets in an overlapping fragment attack such as Teardrop, but does not detect subsequent packets for
the same attack.
reassemble overlapping IP fragments. When enabled and configured to do so, the IP defragmentation
preprocessor identifies the overlapping fragments. The IP defragmentation preprocessor detects the first
packets in an overlapping fragment attack such as Teardrop, but does not detect subsequent packets for
the same attack.
The Jolt2 attack sends a large number of copies of the same fragmented IP packet in an attempt to
overuse IP defragmentors and cause a denial of service attack. A memory usage cap disrupts this and
similar attacks in the IP defragmentation preprocessor, and places the system self-preservation above
exhaustive inspection. The system is not overwhelmed by the attack, remains operational, and continues
to inspect network traffic.
overuse IP defragmentors and cause a denial of service attack. A memory usage cap disrupts this and
similar attacks in the IP defragmentation preprocessor, and places the system self-preservation above
exhaustive inspection. The system is not overwhelmed by the attack, remains operational, and continues
to inspect network traffic.
Different operating systems reassemble fragmented packets in different ways. Attackers who can
determine which operating systems your hosts are running can also fragment malicious packets so that
a target host reassembles them in a specific manner. Because the system does not know which operating
systems the hosts on your monitored network are running, the preprocessor may reassemble and inspect
determine which operating systems your hosts are running can also fragment malicious packets so that
a target host reassembles them in a specific manner. Because the system does not know which operating
systems the hosts on your monitored network are running, the preprocessor may reassemble and inspect