[c-nsp] Stop IP Fragmentation attck

Satish Patel satish.txt at gmail.com
Tue Apr 26 08:49:44 EDT 2016


RTP traffic doesn't need DNS and any resolution it's just stream of audio packet between client and server. We are running IDS on that link to check what kind of packet flowing we haven't see any single DNS packet on that link. RTP server has dual NIC for DNS query. I told you believe me we have very isolated network for each service. 

We don't have BGP because it required /24 subnet. 

Also for testing we put small Linux firewall and we are dropping all frag packet and so far customer are happy and haven't seen any single issue. Now time to upgrade linux firewall with cisco router for high speed performance.  

--
Sent from my iPhone

> On Apr 26, 2016, at 8:43 AM, Roland Dobbins <rdobbins at arbor.net> wrote:
> 
>> On 26 Apr 2016, at 19:38, Satish Patel wrote:
>> 
>> Believe me we did all home work that's why I'm am asking this last question how to just stop IP frag attack using cisco ACL.
> 
> I already explained how you can use S/RTBH or flowspec to mitigate DDoS attacks, and I also sent you a link detailing how to use Cisco ACLs to filter them.
> 
> But if you drop *all* non-initial fragments ingressing your network, you run the risk of messing up large, but legitimate, DNS responses.
> 
> So, be careful about dropping non-initial fragments.
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list