Although the
implicit deny statement
could have been used
here, there would be no
record of how many
times a packet was
?¬?ltered out by the
implicit deny statement.
Using ACLs to Filter Network Traf?¬?c to Mitigate Threats 107
DoS TCP SYN Attacks: Blocking External Attacks
TCP SYN attacks involve sending large numbers of TCP SYN packets, often from
a spoofed source, into the internal network, which results in the ?¬‚ooding of the TCP
connection queues of the receiving nodes. Refer to Figure 5-12 for the network topology
upon which the following con?¬?gurations are based.
The following ACL prevents inbound packets, with the SYN ?¬‚ag set, from entering the
router. However, the ACL does allow TCP responses from the outside network for TCP
connections that originated on the inside network (keyword established). The established
option is used for the TCP protocol only. This option indicates return traf?¬?c from an
established connection. A match occurs if the TCP datagram has the ACK control bit set.
Edge(config)#interface fastethernet 0/1 Moves to interface
con?¬?guration mode
Edge(config-if)#ip access-group 102 out Takes all access list lines
that are de?¬?ned as being
part of group 102 and
applies them in an
outbound manner
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#
Edge(config)#access-list 103 permit tcp any
10.
Pages:
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101