[c-nsp] ip virtual-reassembly drop-fragments
Satish Patel
satish.txt at gmail.com
Thu Jun 2 21:00:56 EDT 2016
Sorry typo it was "Internet"
We are getting many IP fragment DDoS so I was planning to use on outside interface to drop all IP fragmented packet.
--
Sent from my iPhone
> On Jun 2, 2016, at 10:44 AM, Juergen Marenda <cnsp at marenda.net> wrote:
>
>
> Satish Patel wrote:
>> is it safe to put on internap facing interface?
>>
>> ip virtual-reassembly drop-fragments
>
> what's an "internap"?
>
> s/ap/et/
>
> Yes it is safe, but
>
> "no ip virtual-reassembly"
> is the best thing you can do, on every interface,
> and look form time to time and after reloads weather it reappears.
>
> "virtual-reassembly" should "reassembly" fragments (in a special, memory
> conserving way)
> So dropping fragments in that context must be an april's first joke.
>
> Having too few resources,
> the theoretically good idea behind "virtual-reassembly" does not work very
> well (in practice)
> esp. when it should be usefull.
>
> Using the "no" form on every interface where it appears automagically
> When you configure nat, crypto, ... did help us to solve many problems.
>
> Juergen.
>
>
More information about the cisco-nsp
mailing list