[c-nsp] Stop IP Fragmentation attck

Garrett Skjelstad garrett at skjelstad.org
Tue Apr 26 16:48:47 EDT 2016


Now he reads the article...

No, you can run BGP just on your edge, doesn't need to include provider.
On Apr 26, 2016 13:41, "Satish Patel" <satish.txt at gmail.com> wrote:

> Roland,
>
> Let's say I like your S/RTBH but does it require my ISP support this?
>
> On Tue, Apr 26, 2016 at 1:54 PM, Roland Dobbins <rdobbins at arbor.net>
> wrote:
> > On 27 Apr 2016, at 0:50, Satish Patel wrote:
> >
> >> Does cisco has config like following apply ACL base on criteria
> >
> >
> > Cisco has QoS.
> >
> > But you really aren't being smart about this.  Why not use S/RTBH on your
> > edge router to simply block the sources, since they aren't spoofed?
> >
> > Export NetFlow from your edge router to an open-source
> collection/analysis
> > system, so that you can see the sources.
> >
> > But you do know that most UDP reflection/amplification attacks are
> > high-volume, yes?  So, your transit pipe may still be filled up due to
> sheer
> > bps.
> >
> >
> > -----------------------------------
> > Roland Dobbins <rdobbins at arbor.net>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list