Cisco ACL – How Does a Cisco ACL Handle Fragments

aclciscocisco-commandsfragmentationSecurity

We have an ASR1000, and I have the following ACL, but yesterday someone hit us with big DDoS attack, and I found it was a DNS amplification attack. so all source port for 53, and it was definitely a fragmentation attack. See the following NetFlow data. I saw the router blocked some of the data, but some data sneaked in. In short it hit the internal servers.

Question: Why didn't the ACL stop this attack? How does the ACL handle fragmented packets here? The first packet contains port info, but the following fragmentaed packtes are L3, so how does a firewall handle them. We have deny any any in end, too.

Netflow

Top 10 Src Port ordered by bps:
Date first seen          Duration Proto          Src Port    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2016-10-26 10:06:42.898  1207.930 any                   0    64619(49.0)   68.6 M(49.8)   86.7 G(57.2)    56826  574.5 M  1263
2016-10-26 10:06:42.754  1420.227 any                  53    46718(35.4)   47.1 M(34.2)   61.8 G(40.7)    33153  348.2 M  1313

ACL

ip access-list extended FOO-ACL
 permit udp any gt 1023 object-group VOIP-NET range 12000 13000
 permit udp any gt 1023 object-group SIP-NET eq 5060 
 permit udp object-group GOOGLE-DNS any
 permit tcp host any eq bgp host X.X.X.X
 permit icmp any object-group ICMP-NET echo-reply
 permit icmp any object-group ICMP-NET net-unreachable
 permit icmp any object-group ICMP-NET host-unreachable
 permit icmp any object-group ICMP-NET port-unreachable
 permit icmp any object-group ICMP-NET ttl-exceeded
 deny   ip any any

Best Answer

You are not denying fragments. Cisco has an Access Control Lists and IP Fragments document that specifically deals with this problem.

ACLs and Fragmented Packets

ACLs have a fragments keyword that enables specialized fragmented packet-handling behavior. In general, noninitial fragments that match the Layer 3 statements (protocol, source address, and destination address)—irrespective of the Layer 4 information in an ACL—are affected by the permit or deny statement of the matched entry. Note that the use of the fragments keyword can force ACLs to either deny or permit noninitial fragments with more granularity.

Filtering fragments adds an additional layer of protection against a denial-of-service (DoS) attack that uses only noninitial fragments (such as FO > 0). The use of a deny statement for noninitial fragments at the beginning of the ACL denies all noninitial fragments from accessing the router. Under rare circumstances, a valid session might require fragmentation and therefore be filtered if a deny fragment statement exists in the ACL. Conditions that might lead to fragmentation include the use of digital certificates for ISAKMP authentication and the use of IPSec NAT Traversal.

For example, consider the partial ACL shown here.

access-list 110 deny tcp any Internet routable subnet fragments
access-list 110 deny udp any Internet routable subnet fragments
access-list 110 deny icmp any Internet routable subnet fragments
<rest of ACL>

Adding these entries to the beginning of an ACL denies any noninitial fragment access to the network, while nonfragmented packets or initial fragments pass to the next lines of the ACL unaffected by the deny fragment statements. The previous ACL snippet also facilitates classification of the attack since each protocol—UDP, TCP, and ICMP—increments separate counters in the ACL.

Since many attacks rely on flooding with fragmented packets, filtering incoming fragments to the internal network provides an added measure of protection and helps ensure that an attack cannot inject fragments by simply matching layer 3 rules in the transit ACL.

Refer to Access Control Lists and IP Fragments for a detailed discussion of the options.

Related Topic