>Perhaps to try to catch a hacker? Sending numerous IP fragments is a known >hacker technique. It can result in a denial of service because the host >doing the reassembling has to gather up the fragments and wait for them to >complete, which can cause buffer overruns and excess CPU usage. A hacker >could ping (or whatever) your router (or devices behind the router) with >fragments in an attempt to cause the recipient to slow down and possibly >stop doing its job. > >You would only want to have this filter on for a short time and use it for >logging purposes. Having it on indefinitely would make matters even worse. > >Other than that, I can't think of a use for such an ACL. > >Priscilla > >At 07:18 AM 1/23/02, bergenpeak wrote: >>Looking at extended ACLs I see there's an option to define ACL >>statements which can key on whether the IP packet contains a >>fragment. >> >>Besides for NAT purposes, could someone provide me with a scenario >>where one would need develop an ACL to key on IP packets carrying >>fragements? I'd be particularly interested in situations where one >>might want to block a TCP application and decided that one had to >>block traffic to the TCP port as well as fragments going to the server. >> > >Thanks
I agree with Priscilla on the primary use. Another might be to troubleshoot FST encapsulation, which does not support fragmentation. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33011&t=32922 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
