Re: [OSL | CCIE_Security] Need inputs on mitigating syn attacks

Fri, 26 Mar 2010 13:58:35 -0700 

Hi Kings,

I read this exercise as they want me to prevent DOS attack (SYN flood), so
we need to find a way to block out or rate limit SYN flooding.


* Preventing a SYN Attack Using ACLs

access-list 120 deny tcp host X host Y syn
!
int f0/0
 ip access-gr 120 in

* Preventing a SYN Attack Using NBAR

class-map match-all TEST
 match protocol http
!
policy-map TEST
 class TEST
   drop
!
int f0/0
 service-policy input TEST


* Preventing a SYN Attack Using Policing

access-list 100 permit tcp any any syn
!
class-map match-all SYN
 match access-group 100
!
policy-map SYN
 class SYN
    police 64000 conform-action transmit  exceed-action drop  violate-action
drop
!
int f0/0
 service-policy input SYN


* Preventing a SYN Attack Using CBAC

ip inspect tcp synwait-time 2
ip inspect tcp block-non-session
ip inspect name CBAC tcp


* Preventing a SYN Attack Using CAR

access-list 100 permit tcp any any syn
!
int f0/0
 rate-limit input access-group 100 64000 8000 8000 conform-action transmit
exceed-action drop



* Preventing a SYN Attack Using a TCP Intercept

ip tcp intercept max-incomplete
ip tcp intercept one-minute



* Preventing a SYN Attack Using the Modular Policy Framework (MPF) on the
Cisco ASA Security Appliance

class MANAGEMENT
  set connection conn-max 10 embryonic-conn-max 8



HTH,
Piotr Matusiak
CCIE #19860


2010/3/26 Kingsley Charles <[email protected]>

> Hi all
>
> Need yours inputs on the following of mitigating sync attacks:
>
>
>    - Preventing a SYN Attack Using ACLs
>
>          Using "established" keyword
>
>    - Preventing a SYN Attack Using NBAR
>
>          ?
>
>    - Preventing a SYN Attack Using Policing
>
>           ?
>
>    - Preventing a SYN Attack Using CBAC
>
>         Tuning of TCP timeouts
>
>    - Preventing a SYN Attack Using CAR
>
>           ?
>
>    - Preventing a SYN Attack Using a TCP Intercept
>
>         Configuring high/low parameters
>
>    - Preventing a SYN Attack Using the Modular Policy Framework (MPF) on
>    the Cisco ASA Security Appliance
>
>          Configuring of TCP timeouts with "set connections"
>
>
>
>
> With regards
> Kings
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to