[c-nsp] UDP/0 ACL IOSXR issue?
Dobbins, Roland
Roland.Dobbins at netscout.com
Fri Feb 8 22:30:23 EST 2019
On 9 Feb 2019, at 3:02, Bryan Holloway wrote:
> I suspect you are right. Saku made the same suggestion off-line.
Concur that these are likely non-initial fragments. Don't just block
all non-initial fragments willy-nill, or you'll break EDNS0.
If the targeted networks are endpoint networks within your span of
administrative control, or endpoint networks of your direct
end-customers, consider using flow telemetry analysis to profile the
rates of non-initial UDP fragments normally seen destined for those
networks. You can add some headroom, and then use QoS at your edge to
police down the non-initial fragments to a relatively low rate; this
won't break anything during normal operations, and will eat a
considerable amount of attack volume from UDP reflection/amplification
attacks which generate non-initial fragments.
Be sure to exempt your own (and customers') recursive DNS farms from
this policy, as well as well-known/well-run open DNS recursors such as
Google DNS, OpenDNS, CloudFlare, et. al.
And be sure to exempt traffic that's just traversing your network on its
way to some topologically-distant downstream network with which you have
no direct relationship, as well.
QPPB can be used to propagate these polices if you've a significant
number of peering/transit edge routers.
--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>
More information about the cisco-nsp
mailing list