Re: [c-nsp] ACL to block udp/0?

2023-12-06 Thread Dobbins, Roland via cisco-nsp
On Dec 6, 2023, at 17:46, Gert Doering wrote: I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which works just fine to avoid fragments... Of course, the last true Internet flag day was in 1994, flag days aren’t possible anymore, & this is far from universally implemented.

Re: [c-nsp] ACL to block udp/0?

2023-12-06 Thread Gert Doering via cisco-nsp
Hi, On Wed, Dec 06, 2023 at 09:00:58AM +, Dobbins, Roland wrote: > On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp > wrote: > > > deny ipv4 any any fragments > > This is approach is generally contraindicated, as it tends to break EDNS0, & > DNSSEC along with it. I'd argue that the

Re: [c-nsp] ACL to block udp/0?

2023-12-06 Thread Dobbins, Roland via cisco-nsp
On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp wrote: deny ipv4 any any fragments This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it. If the target is a broadband access network, you can use flow telemetry to measure normal rates of

Re: [c-nsp] ACL to block udp/0?

2023-12-05 Thread Hank Nussbacher via cisco-nsp
On 05/12/2023 23:44, Gert Doering wrote: D'Wayne Saunders already pointed at this most likely being fragments - large packet reflections, and all non-initial fragments being reported by IOS* as "port 0" (so you should see 1500 byte regular UDP as well, with a non-0 port number) IOS XR syntax

Re: [c-nsp] ACL to block udp/0?

2023-12-05 Thread Gert Doering via cisco-nsp
Hi, On Tue, Dec 05, 2023 at 11:27:21PM +0200, Hank Nussbacher via cisco-nsp wrote: > We encountered something strange.  We run IOS-XR 7.5.2 on ASR9K platform. > > Had a user under udp/0 attack.  Tried to block it via standard ACL: > > > ipv4 access-list block-zero >  20 deny udp any any eq 0 >

Re: [c-nsp] ACL to block udp/0?

2023-12-05 Thread Saunders, D'Wayne via cisco-nsp
Howdy on my phone so no detail but the Flow being reported will be due to fragments and not necessarily port 0 The below link has details on how to block fragments Access Control Lists and IP

[c-nsp] ACL to block udp/0?

2023-12-05 Thread Hank Nussbacher via cisco-nsp
We encountered something strange.  We run IOS-XR 7.5.2 on ASR9K platform. Had a user under udp/0 attack.  Tried to block it via standard ACL: ipv4 access-list block-zero  20 deny udp any any eq 0  30 deny tcp any any eq 0  40 permit ipv4 any any Applied to interface:  ipv4 access-group