[c-nsp] ACL to block udp/0?
Gert Doering
gert at greenie.muc.de
Wed Dec 6 05:45:41 EST 2023
Hi,
On Wed, Dec 06, 2023 at 09:00:58AM +0000, Dobbins, Roland wrote:
> On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
>
> > deny ipv4 any any fragments
>
> This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it.
I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which
works just fine to avoid fragments...
http://www.dnsflagday.net/2020/
... but of course you are right that unconditionally dropping all fragments
is not a recommended approach unless acutely under attack.
What we do here is exactly what you recommend - rate-limit fragments to
some 200Mbit/s per network ingress, which is ~50x the normal peak rate
of fragments seen, and closely monitor drop counts.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20231206/91ff40da/attachment.sig>
More information about the cisco-nsp
mailing list