Hardening Cisco Routers Against TCP SYN Flood Attacks

Upgrade to at least IOS 11.2(4)

Prevent transmission of invalid IP addresses

Let's say your network is 172.16.0.0, and your outbound interface is serial 0/1.

Set up your access list like the following to prevent transmitting any invalid IP addresses: 

    access-list  111  permit  172.16.0.0  0.0.255.255  any
    access-list  111  deny  ip  any  any  log

    interface  serial 0/1
    ip  access-group  111  out

Prevent reception of invalid IP addresses

This assumes that you're an ISP or you have that function within your organization. Organizations A and B below are either your customers, or groups within your larger organization. Let's say that:

Set up your access list like the following to prevent receiving any invalid IP addresses: 

    access-list  111  permit  ip  192.168.0.0  0.0.15.255  any
    access-list  111  permit  ip  172.18.0.0  0.0.255.255  any
    access-list  111  deny  ip  any  any  log

    interface  serial  1/0
    ip  access-group  111  in

For more information, see: http://www.cisco.com/

Back to the main Security Page

Click here to inquire about advertising on this or any page on this site.
Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact
Use /bin/vi! Manipulate images with ImageMagick! Hosted on OpenBSD
Hosted on Apache This site is viewable with any browser Valid XHTML 1.1! Valid CSS!
© Bob Cromwell Sep 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here, privacy policy here.