I am presently blocking a small scale DDOS attack using IP addresses but all the packets are the same size, 1514 bits and I kind of don't want to fill up an ACL rule with a bunch of IPs. After reading the Cisco documentation it should be possible to filter by the packet-length operator however it does not appear to work and I have never tried it. This is what i used:
deny ip any any packet-length eq 1514
Has any one ever used the packet-length operator and is this the right usage of it?
1514 bytes is just the size of a full IP packet (1500 bytes) plus the 14 byte Ethernet header. you'll block traffic you don't want to block if you do that.
You should contact your ISP and see if they will help. Most ISPs are equipped to deal with this, as they deal with these every day. They can block it at their end, which will prevent the DDOS from filling your circuit. Even if you block the packets at entry, they can still fill your circuit, though they won't be beating on your server(s) anymore.
