摘要 |
In one embodiment, the present invention is a technique for processing fragments received at a node (e.g., a router) in a datagram-based communication system in order to provide a wide range of protection against potential fragment-based attacks. Received fragments are examined as they are received to verify that they do not overlap one another and that the fragment sequence does not exploit common weaknesses in IP packet-reassembly algorithms. Valid fragment sequences that represent potential threats to the receiver can be reordered and/or fully or partially re-assembled and re-fragmented into a fragment sequence that eliminates or reduces the threat to the receiver. Fragmented sequences that represent a likely attack are blocked, as are subsequent fragments of the associated packet. |