[c-nsp] ip virtual-reassembly drop-fragments
Satish Patel
satish.txt at gmail.com
Fri Jun 3 12:46:41 EDT 2016
We have notice in last 1 year our DDoS last for 10 min only and it is
smaller compare to our link. We have 10G link and DDoS we are getting
around 4G or sometime 6G. (Only and only IP Frag attack we are getting
that is 100% true. we have IDS running on network to monitor attack
too)
We have order new ASR1006 and going to run BGP (RTBH).
Question: How does Netflow + RTBH will auto trigger null?
On Fri, Jun 3, 2016 at 7:55 AM, Nick Hilliard <nick at foobar.org> wrote:
> Satish Patel wrote:
>> Sorry typo it was "Internet"
>>
>> We are getting many IP fragment DDoS so I was planning to use on
>> outside interface to drop all IP fragmented packet.
>
> This will reassemble your fragments, but is that what you want to stop a
> DDoS? It will completely trash your router in the process. For sure,
> it will lower the throughput of your router so that it will fall over
> even sooner than if you omit it from your configuration.
>
> Your options for handling DDoS are:
>
> 1. get more bandwidth than your DDoS attackers have
> 2. get your upstream providers to filter / blackhole the traffic. If
> you run netflow on your own kit + rtbh, you can automate this
> 3. live with it
>
> Nick
More information about the cisco-nsp
mailing list