[c-nsp] ACL to block udp/0?

Gert Doering gert at greenie.muc.de
Tue Dec 5 16:44:49 EST 2023


On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote:
> We encountered something strange.  We run IOS-XR 7.5.2 on ASR9K platform.
> Had a user under udp/0 attack.  Tried to block it via standard ACL:
> ipv4 access-list block-zero
>  20 deny udp any any eq 0
>  30 deny tcp any any eq 0
>  40 permit ipv4 any any

D'Wayne Saunders already pointed at this most likely being fragments -
large packet reflections, and all non-initial fragments being reported by
IOS* as "port 0" (so you should see 1500 byte regular UDP as well, with
a non-0 port number)

IOS XR syntax for fragment blocking is
  deny ipv4 any any fragments

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20231205/a7a23e7c/attachment.sig>

More information about the cisco-nsp mailing list