[c-nsp] Stop IP Fragmentation attck

Roland Dobbins rdobbins at arbor.net
Tue Apr 26 01:30:51 EDT 2016


On 26 Apr 2016, at 8:22, Satish Patel wrote:

> I heard somewhere ACL has fragments option but not sure what it will 
> do and how i can build my with this option?

You shouldn't drop all non-initial fragments, because that will break 
the Internet for you and for your customers.

You can use S/RTBH or flowspec (if your platform supports it) to drop 
UDP reflection/amplification traffic more selective - the sources aren't 
spoofed on the reflector/amplifier - target leg.

See these .pdf presos:

<https://app.box.com/s/r7an1moswtc7ce58f8gg>

<https://app.box.com/s/xznjloitly2apixr5xge>

Dropping non-initial fragments destined directly for your network 
infrastructure should be a standard part of your defensive iACLs.  A 
quick search for 'cisco acl fragments' reveals this article, which 
discusses Cisco ACLs and non-initial fragments, as the top hit:

<http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the cisco-nsp mailing list