[c-nsp] ACL to block udp/0?

Dobbins, Roland Roland.Dobbins at netscout.com
Wed Dec 6 04:00:58 EST 2023

On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp <cisco-nsp at puck.nether.net> wrote:

deny ipv4 any any fragments

This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it.

If the target is a broadband access network, you can use flow telemetry to measure normal rates of non-initial fragments destined for it (said rates are generally minimal). You can then implements a QoS policy to police down non-initial fragments in excess of the rate you’ve decided upon, ensuring that you leave some headroom for normal variations in traffic rates.

It would be a good idea to exempt the well-known, well-run open resolvers like Google DNS, Quad9, OpenDNS, et. al. from this policy, as well as your own on-net resolvers.

If the target is a downstream transit customer, something sitting in an IDC, etc., more research & nuance in terms of tACLs, policies, & rates is likely necessary.


Roland Dobbins <roland.dobbins at netscout.com>

More information about the cisco-nsp mailing list