[c-nsp] Stop IP Fragmentation attck
Satish Patel
satish.txt at gmail.com
Tue Apr 26 07:06:12 EDT 2016
We are running voice RTP traffic it's UDP and its packet size is below 200 bytes. We have never ever seen frag packet on VOIP traffic. That's why I asked how to stop frag attack. We don't have BGP etc because of small company.
--
Sent from my iPhone
> On Apr 26, 2016, at 1:30 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
>
>> On 26 Apr 2016, at 8:22, Satish Patel wrote:
>>
>> I heard somewhere ACL has fragments option but not sure what it will do and how i can build my with this option?
>
> You shouldn't drop all non-initial fragments, because that will break the Internet for you and for your customers.
>
> You can use S/RTBH or flowspec (if your platform supports it) to drop UDP reflection/amplification traffic more selective - the sources aren't spoofed on the reflector/amplifier - target leg.
>
> See these .pdf presos:
>
> <https://app.box.com/s/r7an1moswtc7ce58f8gg>
>
> <https://app.box.com/s/xznjloitly2apixr5xge>
>
> Dropping non-initial fragments destined directly for your network infrastructure should be a standard part of your defensive iACLs. A quick search for 'cisco acl fragments' reveals this article, which discusses Cisco ACLs and non-initial fragments, as the top hit:
>
> <http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
>
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list