On 9 Feb 2019, at 3:02, Bryan Holloway wrote:
> I suspect you are right. Saku made the same suggestion off-line. Concur that these are likely non-initial fragments. Don't just block all non-initial fragments willy-nill, or you'll break EDNS0. If the targeted networks are endpoint networks within your span of administrative control, or endpoint networks of your direct end-customers, consider using flow telemetry analysis to profile the rates of non-initial UDP fragments normally seen destined for those networks. You can add some headroom, and then use QoS at your edge to police down the non-initial fragments to a relatively low rate; this won't break anything during normal operations, and will eat a considerable amount of attack volume from UDP reflection/amplification attacks which generate non-initial fragments. Be sure to exempt your own (and customers') recursive DNS farms from this policy, as well as well-known/well-run open DNS recursors such as Google DNS, OpenDNS, CloudFlare, et. al. And be sure to exempt traffic that's just traversing your network on its way to some topologically-distant downstream network with which you have no direct relationship, as well. QPPB can be used to propagate these polices if you've a significant number of peering/transit edge routers. -------------------------------------------- Roland Dobbins <[email protected]> _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
