index_77
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
77
Exploits Protection
This sub-section describes how to use access lists to defeat or discourage several
common attacks using IOS traffic filtering capabilities.
TCP SYN Attack
The TCP SYN Attack involves transmitting a volume of connections that cannot be
completed at the destination. This attack causes the connection queues to fill up,
thereby denying service to le gitimate TCP users. The following shows two different
scenarios.
External Access Blocked
The access list rules shown below will block packets from an external network that
have only the SYN flag set. Thus, it allows traffic from TCP connections that were
established from the internal network, and it denies anyone coming from any external
network from starting any TCP connection.
East(config)# access-list 106 permit tcp any 14.2.6.0 0.0.0.255 established
East(config)# access-list 106 deny ip any any log
East(config)# interface eth 0/0
East(config-if)# description "external interface"
East(config-if)# ip access-group 106 in
Limiting External Access with TCP Intercept
The access list rules shown below will block packets from unreachable hosts using
the TCP intercept feature; thus, it only allows reachable external hosts to initiate
connections to a host on the internal network. In intercept mode the router intercepts
each TCP connection establishment, and determines if the address from which the
connection is being initiated is reachable. If the host is reachable, the router allows
the connection to be established; otherwise, it prevents the connection.
East(config)# ip tcp intercept list 107
East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255
East(config)# access-list 107 deny ip any any log
East(config)# interface eth 0/0
East(config-if)# description "external interface"
East(config-if)# ip access-group 107 in
Tcp intercept is a very effective mechanism for protecting hosts on a network from
outside TCP SYN attacks, for extensive details consult the Cisco IOS 12 Security
Configuration Guide [5]. However, the tcp intercept feature is available in most, but
not all, Cisco IOS version 11.3 and 12.0 releases.