[c-nsp] ip virtual-reassembly drop-fragments

[Randy]

How did you determine that this was a fragment-DDos as opposed to valid-fragmentation coupled with packets arriving out-of-order?



Be careful when you deny fragments because you could very well deny legitimate-traffic, unless of course your $Employer has a policy *not* to accept fragmented-packets regardless of validity.

./Randy

----- Original Message -----
From: Satish Patel <satish.txt at gmail.com>
To: "<cnsp at marenda.net>" <cnsp at marenda.net>
Cc: Cisco Network Service Providers <cisco-nsp at puck.nether.net>
Sent: Thursday, June 2, 2016 6:00 PM
Subject: Re: [c-nsp] ip virtual-reassembly drop-fragments

Sorry typo it was "Internet"

We are getting many IP fragment DDoS so I was planning to use on outside interface to drop all IP fragmented packet. 

--
Sent from my iPhone

> On Jun 2, 2016, at 10:44 AM, Juergen Marenda <cnsp at marenda.net> wrote:
> 
> 
> Satish Patel wrote:
>> is it safe to put on internap facing interface?
>> 
>> ip virtual-reassembly drop-fragments
> 
> what's an "internap"?
> 
> s/ap/et/
> 
> Yes it is safe, but
> 
> "no ip virtual-reassembly"
> is the best thing you can do, on every interface, 
> and look form time to time and after reloads weather it reappears.
> 
> "virtual-reassembly" should "reassembly" fragments (in a special, memory
> conserving way)
> So dropping fragments in that context must be an april's first joke.
> 
> Having too few resources, 
> the theoretically good idea behind "virtual-reassembly" does not work very
> well (in practice) 
> esp. when it should be usefull.
> 
> Using the "no" form on every interface where it appears automagically
> When you configure nat, crypto, ... did help us to solve many problems.
> 
> Juergen.
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/