Attackers can use ICMP responses to the UDP
traceroute packets to discover subnets and hosts on the protected network.
As a rule, you should block all inbound traceroute UDP messages (UDP ports 33400
to 34400).
Refer to Figure 5-12 for the network topology upon which the following con?¬?gurations
are based.
Edge(config)#access-list 108 permit icmp
10.2.1.0 0.0.0.255 any packet-too-big
Permits packet-too-big
packets from 10.2.1.x
going to anywhere
Edge(config)#access-list 108 permit icmp
10.2.1.0 0.0.0.255 any source-quench
Permits source-quench
packets from 10.2.1.x
going to anywhere
Edge(config)#access-list 108 deny icmp any any
log
Denies all other ICMP
packets from anywhere
going to anywhere, and
logs any instance in which
this statement was used
Edge(config)#interface fastethernet 0/1 Moves to interface
con?¬?guration mode
Edge(config-if)#ip access-group 108 in Takes all access list lines
that are de?¬?ned as being
part of group 108 and
applies them in an
inbound manner
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#
Mitigating Dedicated DoS Attacks with ACLs 113
Mitigating Dedicated DoS Attacks with ACLs
Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of
occurrences of attacks by building ACLs that ?¬?lter known attack ports.
Pages:
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107