[nsp-sec] ASR fragment DDoS
Roland Dobbins
rdobbins at arbor.net
Fri Jul 31 10:10:32 EDT 2015
On 31 Jul 2015, at 21:08, Damian Menscher wrote:
> - Don't expose open ports on the router to untrusted clients. (Not
> certain this will work in this case, but it seems likely the ACL code runs
> before the fragment reassembly code.)
iACLs, yes.
> - Don't advertise your router's IP in the global routing table. (The
> vulnerability doesn't get triggered by transit packets.)
No, not a good idea. This creates many problems.
> I think both of these are considered best current practices, and would
> avoid this vulnerability
iACLs, GTSM, et. al. are certainly BCPs.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the nsp-security
mailing list