From: jenseike (jenseike@start.no)
Date: Wed Mar 23 2005 - 05:48:41 GMT-3
Hi there ;
Many DoS attacks rely on flooding core routers with fragmented packets.
Using ACLs to filter incoming fragments destined for the core helps prevent
attacks that inject fragments by matching Layer 3 permit rules in the
transit ACL. Using a deny statement for fragments at the beginning of the
ACL denies all noninitial fragments from accessing the router. However, this
statement should be configured with caution because certain protocols
require fragmentation and, therefore, will be denied access if a deny
fragment statement exists in the ACL. Following are three sample deny
statements:
ex :
access-list 101 deny tcp any fragments
access-list 101 deny icmp any fragments
access-list 101 deny udp any fragments
Hope that helps you a litle!
Jens Petter
----- Original Message -----
From: "Ivan Ostre9" <ivan.ostres@snt.hr>
To: <ccielab@groupstudy.com>
Sent: Wednesday, March 23, 2005 9:27 AM
Subject: Fragment attack
> Hello group,
>
> Is there any other way of defending against 'fragment attacks' other than
> using CBAC?
>
> Regards,
> Ivan
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:50 GMT-3