[c-nsp] ACL to block udp/0?
Dobbins, Roland
Roland.Dobbins at netscout.com
Wed Dec 6 04:00:58 EST 2023
On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
deny ipv4 any any fragments
This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it.
If the target is a broadband access network, you can use flow telemetry to measure normal rates of non-initial fragments destined for it (said rates are generally minimal). You can then implements a QoS policy to police down non-initial fragments in excess of the rate you’ve decided upon, ensuring that you leave some headroom for normal variations in traffic rates.
It would be a good idea to exempt the well-known, well-run open resolvers like Google DNS, Quad9, OpenDNS, et. al. from this policy, as well as your own on-net resolvers.
If the target is a downstream transit customer, something sitting in an IDC, etc., more research & nuance in terms of tACLs, policies, & rates is likely necessary.
--------------------------------------------
Roland Dobbins <roland.dobbins at netscout.com>
More information about the cisco-nsp
mailing list