1 May
2024
1 May
'24
3:27 p.m.
Hello. Under the section discussing Ingress Filtering you failed to discuss the issue of fragment filtering. A very common and powerful DDoS attack is UDP fragment attack: https://ddos-guard.net/en/terms/ddos-attack-types/udp-fragmentation-flood The common thing many ISPs as well as enterprises do to mitigate the attack is to block all fragments which on most servers has almost no effect. But on DNS and VPN servers, blocking fragments is fatal and therefore a warning needs to be put into the doc that UDP fragments should *never* be blocked to DNS servers - even when under fragment attack. See: https://puck.nether.net/pipermail/cisco-nsp/2023-December/108992.html for further details. Regards, Hank