[c-nsp] Stop IP Fragmentation attck

Roland Dobbins rdobbins at arbor.net
Tue Apr 26 01:30:51 EDT 2016

On 26 Apr 2016, at 8:22, Satish Patel wrote:

> I heard somewhere ACL has fragments option but not sure what it will 
> do and how i can build my with this option?

You shouldn't drop all non-initial fragments, because that will break 
the Internet for you and for your customers.

You can use S/RTBH or flowspec (if your platform supports it) to drop 
UDP reflection/amplification traffic more selective - the sources aren't 
spoofed on the reflector/amplifier - target leg.

See these .pdf presos:



Dropping non-initial fragments destined directly for your network 
infrastructure should be a standard part of your defensive iACLs.  A 
quick search for 'cisco acl fragments' reveals this article, which 
discusses Cisco ACLs and non-initial fragments, as the top hit:


Roland Dobbins <rdobbins at arbor.net>

More information about the cisco-nsp mailing list