First thing first, what is a Fragmentation Attack?

It’s a kind of network attack using fragmented packets to attempt to bypass ACLs and increasing the resources usage of the router. This is because the router will try to reassemble the packets before processing.

Now, how we protect our network against this?

Cisco ACLs have a magic keyword that changes the behavior of the device for fragmented packets. This keyword is fragments.

So, let’s suppose one of our routers is under a fragment attack and we want to stop it. We have to create an ACL on the ingress interface denying fragmented packets and allowing all the rest of the traffic. Like this:

R3#
R3# en
R3# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)# ip access-list ext frag
R3(config-ext-nacl)# deny ip any any fragments
R3(config-ext-nacl)# permit ip any any
R3(config-ext-nacl)# exit
R3(config)# int s0/0/0.123
R3(config-subif)# ip access-group frag in

Now we have our router denying all the fragmented packets coming in Serial0/0/0.123 and permitting normal traffic. We can see ACL hits growing up.

R3(config-subif)# do sh ip access-l
Extended IP access list frag
    10 deny ip any any fragments (16 matches)
    20 permit ip any any (5 matches)

There are more options on fragment packet processing. We could add a CPP policy to rate-limit this kind of traffic. This will be necessary if the router is an IPsec termination device, that oftens handles fragmented packets.

More information about ACL fragment packet processing can be found here: http://www.cisco.com/en/US/tech/tk826/tk369/technologies_white_paper09186a00800949b8.shtml