[c-nsp] ip virtual-reassembly drop-fragments

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Tue Jun 7 07:01:33 EDT 2016

> Satish Patel
> Sent: Friday, June 03, 2016 5:47 PM
> We have notice in last 1 year our DDoS last for 10 min only and it is smaller
> compare to our link. We have 10G link and DDoS we are getting around 4G or
> sometime 6G. (Only and only IP Frag attack we are getting that is 100% true.
> we have IDS running on network to monitor attack
> too)
Then you could have IDS generating appropriate filters and configuring them on the edge interfaces.

> We have order new ASR1006 and going to run BGP (RTBH).
> Question: How does Netflow + RTBH will auto trigger null?
You can have Netflow collector generating appropriate filters and configuring them on the edge interfaces.

If the reactive approach is not fast enough you might need to consider some proactive filters.

I think that RTBH is too big of a hammer, e.g. you can just temporarily rate-limit fragments to IP(s) under attack.
I'd use the RTBH only externally, i.e. when the attack is congesting your 10GE pipe and you have to throw the victim(s) over the board in order to protect the rest of the customer base.


        Adam Vitkovsky
        IP Engineer

T:      0333 006 5936
E:      Adam.Vitkovsky at gamma.co.uk
W:      www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
 This email has been scanned for email related threats and delivered safely by Mimecast.
 For more information please visit http://www.mimecast.com

More information about the cisco-nsp mailing list