[c-nsp] UDP/0 ACL IOSXR issue?

Aaron Gould aaron1 at gvtc.com
Fri Feb 8 17:19:52 EST 2019

Unsure about xr and be-specific acl treatment... however I do recall
BVI-related acl's having issues either in or out... don't recall, been a

...in my newer juniper platform, I'm blocking the heck out of udp/0... geez,
there's a lot of volumetric attacks coming on that port.....and 389.... and
53.... and 123....

- Aaron

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Bryan Holloway
Sent: Friday, February 8, 2019 1:38 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] UDP/0 ACL IOSXR issue?

Anyone aware of any issues with filtering destination UDP/0 at ingress 
points on IOS XR?

We're running 5.3.4 SP8 and have telemetries to help us RTBH when the 
need arises.

UDP/0 is a well-known vector for this sort of attack. However, what I'm 
seeing is that packets seem to be getting past our ACLs even though we 
are explicitly denying them.

"hardware counters" seem to corroborate that we're getting matches.

... and yet we're still seeing the traffic beyond the ingress.

Curious if anyone else has seen this.

Our egress-facing interface is a BE, if it matters ...

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list