Fragmented DHCP packets

This test checks that the switch drops fragmented DHCP packets before they reach the control plane. If fragmented packets are not dropped, they will consume resources at the switch's control plane upon reassembly. This fact can be exploited to launch a DoS attack causing the CPU to run out of cycles or filling up the packet buffers.

Since the control plane is normally in a controlled environment, the MTU is known. There is therefore no reason for packets to be fragmented, nor for packet reassembly to be needed.

Impact: DoS

Test process

  • Malicious sends a valid DHCP packet.
  • Malicious sends DHCP packets fragmented into 40 byte and 104 byte fragments.

Fail criteria

  • ISP does not receive the valid DHCP packet.
  • ISP receives any fragment of a fragmented packet.

References

This test conforms to SEC Access Certification ID "SEC-V4-CP-FRAG-1" and to SAVI RFC 6959 section 3.1.2.

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • ISP: A central node on a trusted port. The test requires that the ISP Test Agent reside in the same Layer 2 network as customers.
Have more questions? Submit a request

Comments

Powered by Zendesk