[c-nsp] IP_VFR-4-FRAG_TABLE_OVERFLOW
Dobbins, Roland
rdobbins at arbor.net
Sun Mar 13 22:53:10 EDT 2011
On Mar 14, 2011, at 9:30 AM, Tony wrote:
> The fix is as you have already stated.
An even better fix is to use iACLs to keep fragmented packets off the router in the first place (allow them *through* the router to their destination endpoints, but not any addressed *to* the router itself), and to disable the dual misfeatures of the IOS stateful firewall and 'Virtual Fragment Reassembly', both of which add no security value and actually make matters worse.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
More information about the cisco-nsp
mailing list