[c-nsp] ACL to block udp/0?
Gert Doering
gert at greenie.muc.de
Tue Dec 5 16:44:49 EST 2023
Hi,
On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote:
> We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform.
>
> Had a user under udp/0 attack. Tried to block it via standard ACL:
>
>
> ipv4 access-list block-zero
> 20 deny udp any any eq 0
> 30 deny tcp any any eq 0
> 40 permit ipv4 any any
D'Wayne Saunders already pointed at this most likely being fragments -
large packet reflections, and all non-initial fragments being reported by
IOS* as "port 0" (so you should see 1500 byte regular UDP as well, with
a non-0 port number)
IOS XR syntax for fragment blocking is
deny ipv4 any any fragments
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20231205/a7a23e7c/attachment.sig>
More information about the cisco-nsp
mailing list