[c-nsp] Stop IP Fragmentation attck

Satish Patel satish.txt at gmail.com
Tue Apr 26 08:38:40 EDT 2016


We planned network that way no component dependency. We have multiple Internet links and only and only attack we are getting on VOIP RTP server. In last 10 year we never get any single attack on other services except VOIP that's why we 100% isolate VOIP from other services. Believe me we did all home work that's why I'm am asking this last question how to just stop IP frag attack using cisco ACL. 

We have tried ASA too but because of state of connection it didn't won't and put everyone in underwater ASA isn't meant for DDoS. 

Also juniper has option to stop IP Frag attack using offset field.

I'm looking similar option in cisco. 

--
Sent from my iPhone

> On Apr 26, 2016, at 7:43 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
> 
>> On 26 Apr 2016, at 18:06, Satish Patel wrote:
>> 
>> We have never ever seen frag packet on VOIP traffic.
> 
> The last I checked, most VoIP setups require DNS, too.
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list