When you apply ACL to an interface on Cisco 6500 or 7600, it compiles it and puts into TCAM. The way Cisco 7600/6500 does it might have unintended consequences that can leave you open to DDoS attack. Let's consider following example:
We want to allow any server in 172.16.100.0/24 network to initiate any tcp connection and query any DNS server directly. Here is our ACL
ip access-list extended Test1
permit tcp any any established
permit udp any eq domain any
deny ip any any
We apply it to internet-facing interface of Cisco7600 router: "
ip access-group Test1 in". Now let's look at what actually happened in TCAM:
Cisco7600#show tcam int gi 1/1 acl in ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1
permit tcp any any fragments
permit udp any any fragments
permit tcp any any established match-any
permit udp any eq domain any
Our router automatically added "
permit udp any any fragments", i.e. it allowed udp fragments. Now, let's see if it actually happens. First, take a look at the compiled ACL again:
Cisco7600#show tcam int gi 1/1 acl in ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1
permit tcp any any fragments
permit udp any any fragments (41 matches)
permit tcp any any established match-any (220 matches)
permit udp any eq domain any
Not the counter - 41 matches. Next, on the "attacker" we'll generate fragmented UDP traffic targeting a server in 172.16.100.0/24 network:
hping2 -2 -d 1500 -c 1 -s 10000 -p 90 -m 500 -f 172.16.100.10
In the command above, we send 1 1500-byte UDP packet from port 10000 on local host to port 90 on 172.16.100.10 and we are telling the host that MTU is 500 bytes. On the target host we run tcpdump:
10:47:41.942010 IP (tos 0x0, ttl 63, id 130, offset 496, flags [+], length: 520) 172.16.0.101 > 172.16.100.10: udp
10:47:41.942027 IP (tos 0x0, ttl 63, id 130, offset 1000, flags [+], length: 520) 172.16.0.101 > 172.16.100.10: udp
10:47:41.942034 IP (tos 0x0, ttl 63, id 130, offset 1496, flags [none], length: 28) 172.16.0.101 > 172.16.100.10: udp
Now, the first fragment, containing IP and UDP header were dropped by our ACL, since we do not allow UDP packets coming from port 10000, but 3 other fragments got through. Let's check the counter again:
Cisco7600#show tcam int gi 1/1 acl in ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1
permit tcp any any fragments
permit udp any any fragments (44 matches)
permit tcp any any established match-any (224 matches)
permit udp any eq domain any
The attacker can flood your web or email server with UDP fragments causing it to slow down while it is busy discarding incomplete packets. We can not block fragments completely since legitimate DNS replies can be quite big and require fragmentation. The solution would be to allow outbound UDP traffic and, hence, incoming replies only to specific hosts that need it. Like your caching DNS server and put good firewall in front of it.