HostedDB - Dedicated UNIX Servers
index_77
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 77   Exploits Protection This sub-section describes how to use access lists to defeat or discourage several common attacks using IOS traffic filtering capabilities. TCP SYN Attack The TCP SYN Attack involves transmitting a volume of connections that cannot be completed at the destination.  This attack causes the connection queues to fill up, thereby denying service to le gitimate TCP users.  The following shows two different scenarios. External Access Blocked The access list rules shown below will block packets from an external network that have only the SYN flag set.  Thus, it allows traffic from TCP connections that were established from the internal network, and it denies anyone coming from any external network from starting any TCP connection. East(config)# access-list 106 permit tcp any 14.2.6.0 0.0.0.255 established East(config)# access-list 106 deny   ip  any any log East(config)# interface eth 0/0   East(config-if)# description "external interface" East(config-if)# ip access-group 106 in Limiting External Access with TCP Intercept The access list rules shown below will block packets from unreachable hosts using the TCP intercept feature; thus, it only allows reachable external hosts to initiate connections to a host on the internal network.  In intercept mode the router intercepts each TCP connection establishment, and determines if the address from which the connection is being initiated is reachable.  If the host is reachable, the router allows the connection to be established; otherwise, it prevents the connection. East(config)# ip tcp intercept list 107 East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255 East(config)# access-list 107 deny   ip  any any log East(config)# interface eth 0/0   East(config-if)# description "external interface" East(config-if)# ip access-group 107 in Tcp intercept is a very effective mechanism for protecting hosts on a network from outside TCP SYN attacks, for extensive details consult the Cisco IOS 12 Security Configuration Guide [5].  However, the tcp intercept feature is available in most, but not all, Cisco IOS version 11.3 and 12.0 releases.