I'm trying to filter incoming traffic to high bandwidth, low latency network, to mitigate DDOS. The incoming traffic is custom UDP (I'm setting the protocol specs so I can force IP headers if necessary). Over which some authentication token can help drop spoofed traffic. I only accept authenticated traffic (single-usage authentication tokens are obtained by side-channel).
If I set the "Don't fragment" IP header flag ON, I think I'm OK, since I can now rely on my authentication token, to filter traffic.
I would like to know how I could treat properly fragmented packets. Especially against old IP fragment attacks like "rose", and "new dawn". In these attacks because I only receive a fragment, I cannot use the authentication token to determine if the traffic is OK or not until all fragments are reassembled.
I first thought that IPSec would be OK, but after a quick wikipedia look it seems to me that AH headers are only obtained after reassembly (correct me please if I'm wrong), so we are still facing the same problem.
I think it would be technically possible to add my auth-token as an IP Header option field (with the most significant bit of copy set so it is copied to all fragments), but I don't know if it's good practice and how will external routers (before the packets reach my network) will handle these packets.
Ideally way before reaching my endpoint machines, the packets will go through a network of software switches (Level 2 of OSI), where I would like to set my custom rules, that's why I would rather filter before reassembly of IP packets.
