[c-nsp] IP_VFR-4-FRAG_TABLE_OVERFLOW

Dobbins, Roland rdobbins at arbor.net
Sun Mar 13 22:53:10 EDT 2011


On Mar 14, 2011, at 9:30 AM, Tony wrote:

> The fix is as you have already stated.

An even better fix is to use iACLs to keep fragmented packets off the router in the first place (allow them *through* the router to their destination endpoints, but not any addressed *to* the router itself), and to disable the dual misfeatures of the IOS stateful firewall and 'Virtual Fragment Reassembly', both of which add no security value and actually make matters worse.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde




More information about the cisco-nsp mailing list