We verified that UDP fragments were not required by anything it was doing so it was straight forward... so after initially filtering UDP fragments, in the end we just blocked UDP completely to the device under attack.
-peter -----Original Message----- From: Drew Weaver [mailto:drew.wea...@thenap.com] Sent: Friday, April 08, 2011 6:44 PM To: 'Peter Kranz' Subject: RE: [c-nsp] Safer DDOS drops Peter, What did you end up using to filter fragments? We see a lot of these UDP 0 looking attacks and we've been reluctant to drop all fragments because it breaks all kinds of legitimate protocols. thanks, -Drew -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Kranz Sent: Friday, April 08, 2011 6:45 PM To: 'Peter Rathlev' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Safer DDOS drops Brandon, Peter, Phil thanks.. I removed 'ip accounting access-violations', used the fragments filter, and changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. another >5Gbps attack in progress currently, but router CPU is happy and customer still in service. -peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/