[c-nsp] ip virtual-reassembly drop-fragments

Nick Hilliard nick at foobar.org
Fri Jun 3 07:55:55 EDT 2016

Satish Patel wrote:
> Sorry typo it was "Internet"
> We are getting many IP fragment DDoS so I was planning to use on
> outside interface to drop all IP fragmented packet.

This will reassemble your fragments, but is that what you want to stop a
DDoS?  It will completely trash your router in the process.  For sure,
it will lower the throughput of your router so that it will fall over
even sooner than if you omit it from your configuration.

Your options for handling DDoS are:

1. get more bandwidth than your DDoS attackers have
2. get your upstream providers to filter / blackhole the traffic.  If
you run netflow on your own kit + rtbh, you can automate this
3. live with it


More information about the cisco-nsp mailing list