North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN floods continueg

  • From: Avi Freedman
  • Date: Wed Sep 11 14:29:43 1996

> Could you provide sample CISCO syntax ACL filters to perform the above?
> I'm not clear how you filter out these kind of attacks.
> Thanks,
> 
> --curtis

This is actually an incoming filter...

'sho access-list 102' shows you counts on hits for each line;
pretty interesting, actually.

Each line says permit any kind of ip data from anywhere, from any IP
address, to the network specified.

For an outgoing filter you'd reverse it so it looked like
'acc 102 permit ip <our-net> <inverted-mask> any'.

no acc 102
acc 102 permit ip any 198.138.103.0 0.0.0.255
acc 102 permit ip any 205.199.164.0 0.0.0.255
acc 102 permit ip any 204.193.157.0 0.0.0.255
acc 102 permit ip any 199.171.193.0 0.0.0.255
acc 102 permit ip any 199.67.58.0   0.0.0.255
acc 102 permit ip any 205.160.86.0  0.0.0.255
acc 102 permit ip any 192.135.189.0 0.0.0.255
acc 102 permit ip any 198.133.170.0 0.0.0.255

! not all of these are /16s, I was just lazy yesterday
! eventually the 0.0.0.255.255s should become more specific
acc 102 permit ip any 206.42.0.0    0.0.255.255
acc 102 permit ip any 137.239.0.0   0.0.255.255
acc 102 permit ip any 198.69.0.0    0.0.255.255
acc 102 permit ip any 206.161.0.0   0.0.255.255
acc 102 permit ip any 205.164.128.0 0.0.255.255
acc 102 permit ip any 170.115.0.0   0.0.255.255
acc 102 permit ip any 207.106.0.0   0.0.255.255
acc 102 permit ip any 199.234.208.0 0.0.255.255
acc 102 permit ip any 207.8.128.0   0.0.255.255

acc 102 permit ip any 192.157.69.47 0.0.0.0
acc 102 permit ip any 192.41.177.87 0.0.0.0
! acc 102 permit ip any 198.32.136.82 0.0.0.0

acc 102 deny ip any any

Avi

- - - - - - - - - - - - - - - - -