[c-nsp] UDP/0 ACL IOSXR issue?

Dobbins, Roland Roland.Dobbins at netscout.com
Fri Feb 8 22:30:23 EST 2019

On 9 Feb 2019, at 3:02, Bryan Holloway wrote:

> I suspect you are right. Saku made the same suggestion off-line.

Concur that these are likely non-initial fragments.  Don't just block 
all non-initial fragments willy-nill, or you'll break EDNS0.

If the targeted networks are endpoint networks within your span of 
administrative control, or endpoint networks of your direct 
end-customers, consider using flow telemetry analysis to profile the 
rates of non-initial UDP fragments normally seen destined for those 
networks.  You can add some headroom, and then use QoS at your edge to 
police down the non-initial fragments to a relatively low rate; this 
won't break anything during normal operations, and will eat a 
considerable amount of attack volume from UDP reflection/amplification 
attacks which generate non-initial fragments.

Be sure to exempt your own (and customers') recursive DNS farms from 
this policy, as well as well-known/well-run open DNS recursors such as 
Google DNS, OpenDNS, CloudFlare, et. al.

And be sure to exempt traffic that's just traversing your network on its 
way to some topologically-distant downstream network with which you have 
no direct relationship, as well.

QPPB can be used to propagate these polices if you've a significant 
number of peering/transit edge routers.

Roland Dobbins <roland.dobbins at netscout.com>

More information about the cisco-nsp mailing list