[c-nsp] Stop IP Fragmentation attck
Roland Dobbins
rdobbins at arbor.net
Tue Apr 26 01:30:51 EDT 2016
On 26 Apr 2016, at 8:22, Satish Patel wrote:
> I heard somewhere ACL has fragments option but not sure what it will
> do and how i can build my with this option?
You shouldn't drop all non-initial fragments, because that will break
the Internet for you and for your customers.
You can use S/RTBH or flowspec (if your platform supports it) to drop
UDP reflection/amplification traffic more selective - the sources aren't
spoofed on the reflector/amplifier - target leg.
See these .pdf presos:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
<https://app.box.com/s/xznjloitly2apixr5xge>
Dropping non-initial fragments destined directly for your network
infrastructure should be a standard part of your defensive iACLs. A
quick search for 'cisco acl fragments' reveals this article, which
discusses Cisco ACLs and non-initial fragments, as the top hit:
<http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the cisco-nsp
mailing list