SRX

I am showing hundreds of logs showing the following:

 RT_FLOW: FLOW_REASSEMBLE_FAIL: FCB ageout before all fragments arrive, source 5.6.7.8 destination 1.2.3.4 ipid 7700

The destination address is our public IP but the source is always different suggesting a possible DDOS attack. Can anyone explain what this log means including the "ipid"?

Hello,

FCB is a data structure used to reassembey and forward fragments. Every fragmented packet has same IP addresses and same IPID and based on this FCB is able to reassemble the fragments into one packet
when it receives them. FCB has a timeout of 3 seconds and if all fragments of a packets are not received by FCB in 3 seconds, fragment will age out and will get dropped with the message that you see.

Is there any pattern with source IP that you see?

Are the source IP addresses unknown?

Regards,

Rushi

Hi rtilak, thanks for the response.

Yes the source IPs are unknown. Can this be limited with a screen option such as ‘tcp syn-flood destination threshold’ or ‘limit-session destination-ip-based’?

Hello,

That can be tried or if the IP addresses are unknown but repeatitive or with a pattern you can use firewall filter to block.

Regards,

Rushi

Applied a screen with UDP flood and this seems to have solved the problem. We now see:

RT_IDS: RT_SCREEN_UDP: UDP flood!

Thanks

What is the traffic is valid and it is causing issues.  In my case this is DNS replies from the internet.

I'd like to know the answer to this as well.  We are beginning to use certain devices that will not work because of this setting.  The vendor specifies that fragmented packets do not get dropped.  Is there a way to either exclude a certain IP address from this protection or tweak the timing?