Fragmented TCP/UDP headers

This test checks that the switch drops IPv4 and IPv6 packets with fragmented headers. By fragmenting TCP or UDP headers it is possible to bypass access lists which are based on information in those headers. The test verifies that packets with a small fragment offset are blocked/dropped.

Impact: DoS, Abuse, Illegal access to content.

Test process

  • Malicious sends non-fragmented TCP and UDP packets to ISP.
  • Malicious sends similar packets fragmented into 8 and 16 byte fragments.

Fail criteria

  • ISP does not receive the non-fragmented packets.
  • ISP receives any fragment of a fragmented packet.


This test conforms to SEC Access Certification ID "SEC-V4-FRAG-1" and to SAVI RFC 6959 section 3.1.2.



  • Malicious Customer: A customer interface performing malicious actions.
  • ISP: A central node on a trusted port.


  • Source UDP/TCP port: Source UDP or TCP port for traffic sent from Malicious to ISP. Range: 1 ... 65535. Default: 41234.
  • Destination UDP/TCP port: Destination UDP/TCP port for traffic sent from Malicious to ISP. Range: 1 ... 65535. Default: 24567.
Have more questions? Submit a request


Powered by Zendesk