[c-nsp] Stop IP Fragmentation attck

Roland Dobbins rdobbins at arbor.net
Tue Apr 26 08:43:08 EDT 2016

On 26 Apr 2016, at 19:38, Satish Patel wrote:

>  Believe me we did all home work that's why I'm am asking this last 
> question how to just stop IP frag attack using cisco ACL.

I already explained how you can use S/RTBH or flowspec to mitigate DDoS 
attacks, and I also sent you a link detailing how to use Cisco ACLs to 
filter them.

But if you drop *all* non-initial fragments ingressing your network, you 
run the risk of messing up large, but legitimate, DNS responses.

So, be careful about dropping non-initial fragments.

Roland Dobbins <rdobbins at arbor.net>

More information about the cisco-nsp mailing list