Hi, On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote: > We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform. > > Had a user under udp/0 attack. Tried to block it via standard ACL: > > > ipv4 access-list block-zero > 20 deny udp any any eq 0 > 30 deny tcp any any eq 0 > 40 permit ipv4 any any
D'Wayne Saunders already pointed at this most likely being fragments -
large packet reflections, and all non-initial fragments being reported by
IOS* as "port 0" (so you should see 1500 byte regular UDP as well, with
a non-0 port number)
IOS XR syntax for fragment blocking is
deny ipv4 any any fragments
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
