The other night our CCR1072 running 6.48.5 was brought to its knees by UDP Fragmentation DDoS attack.
Fragmented packets where large byte packets but not sure that matters as far as the work the router has to do to reconstruct packets. Other than memory use.
Got that mitigate but now I working on a RAW rule to limit the rate of frag attacks.
The trick is to find the right balance between protection and allow of valid fragmented traffic.
This router sees peak evening traffic of about 4-4.5Gbps.
Over the last couple of days, the following rules see 6.5M fragmented packets and dropped 46K of them that exceed the 300/sec limit
add action=accept chain=prerouting comment="Experimental Fragmented traffic li\
mit rule for DDoS protection. 300/sec to dst. Addr. " dst-limit=300,300,dst-address/1m fragment=yes log-prefix=\
"Frag Traffic" tcp-flags=""
add action=drop chain=prerouting comment="Fragmented traffic over limit" \
fragment=yes log-prefix="Frag Traffic excess" tcp-flags=""
Does anyone have a better way of dealing with Frag attacks?