How to Enable Fragmented Packet In IPS

Enabling Fragmented Packet considerations

One of the existing options in Padvish IPS is a Fragmented Packet. This option is disabled by default.

Enabling this option requires some considerations:

  1. Enabling this option will lead to blocking all IP packets on which their Fragment flag is.
  2. As a result, if your network equipment architecture is a type that the different parts of the network have different MTUs and as a result packet is fragmented in-network, enabling this option will lead to blocking these connections. (here you can read how to fix this problem)
  3. Also, programs that have been written based on sending big packets with raw UDP protocol or similar protocol and as a result use Fragmented Packets, will lose their connection.
  4. As a result, enabling this option without necessary caution is not recommended.
Under any circumstances do not change security features without enough training or awareness of its impacts.

Application of Fragmented Packet options

This option is designed for application in very special networks

A fragmented Packet contrary to other existing options in IPS is not a type of attack by itself. In networks that use central NIDS equipment to encounter network attacks, sometimes an attacker can Fragment their attacking packet and hide from central NIDS. In such networks and despite this precondition that the packet does not fragment in a normal situation, we can use this option as a prevention of this problem.

According to mentioned tips in most networks, this option must not be enabled.

How to properly configure the network to block the fragmented packet.

As said before, one of the reasons to encounter Packet fragmentation is problems in network configuration.

If your network involves packet fragmentation for such reasons (such as MTU difference in different links among the way), you can fix this problem by manually decreasing MTU.

In the Windows operation system, it is possible to define MTU on a network card by command line:

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1400 store=persistent

  • Pay attention that in the above order, the Local Area Connection phrase must replace with the name of the network card. To see the network card use the following command:

netsh interface ipv4 show subinterface

  • The above-mentioned order puts MTU equal to 1400 which must be sufficient in most cases, but in different networks, links must be achieved according to MTU capacity.
Pay attention that the above method can fix the network configuration problem and it is sufficient in most applications. But a program needs to be corrected if it needs to send long packets.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>