Hardening Cisco Routers Against TCP SYN Flood Attacks

Upgrade to at least IOS 11.2(4)

Prevent transmission of invalid IP addresses

Let's say your network is 172.16.0.0, and your outbound interface is serial 0/1.

Set up your access list like the following to prevent transmitting any invalid IP addresses:

	access-list  111  permit  172.16.0.0  0.0.255.255  any
	access-list  111  deny  ip  any  any  log

	interface  serial 0/1
	ip  access-group  111  out

Prevent reception of invalid IP addresses

This assumes that you're an ISP or you have that function within your organization. Organizations A and B below are either your customers, or groups within your larger organization. Let's say that:

Your customer A,B interface is serial 1/0.
Customer A networks are 192.168.0.0 - 192.168.15.0.
Customer B networks are 172.18.0.0.

Set up your access list like the following to prevent receiving any invalid IP addresses:

	access-list  111  permit  ip  192.168.0.0  0.0.15.255  any
	access-list  111  permit  ip  172.18.0.0  0.0.255.255  any
	access-list  111  deny  ip  any  any  log

	interface  serial  1/0
	ip  access-group  111  in

For more information

See http://www.cisco.com/

Home Page

Unix/Linux

TCP/IP

Infosec

Travel

Radio

Site Map

Contact


© Bob Cromwell Nov 2008. Created with `/bin/vi` and ImageMagick, hosted on OpenBSD with Apache. Root password available here