[c-nsp] Stop IP Fragmentation attck
Roland Dobbins
rdobbins at arbor.net
Tue Apr 26 08:43:08 EDT 2016
On 26 Apr 2016, at 19:38, Satish Patel wrote:
> Believe me we did all home work that's why I'm am asking this last
> question how to just stop IP frag attack using cisco ACL.
I already explained how you can use S/RTBH or flowspec to mitigate DDoS
attacks, and I also sent you a link detailing how to use Cisco ACLs to
filter them.
But if you drop *all* non-initial fragments ingressing your network, you
run the risk of messing up large, but legitimate, DNS responses.
So, be careful about dropping non-initial fragments.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the cisco-nsp
mailing list