Hardening Cisco Routers Against TCP SYN Flood Attacks
First, upgrade to at least IOS 11.2(4)
Prevent transmission of invalid IP addresses
Let's say your network is 172.16.0.0, and your outbound interface is serial 0/1.
Set up your access list like the following to prevent transmitting any invalid IP addresses:
access-list 111 permit 172.16.0.0 0.0.255.255 any access-list 111 deny ip any any log interface serial 0/1 ip access-group 111 out
Prevent reception of invalid IP addresses
This assumes that you're an ISP or you have that function within your organization. Organizations A and B below are either your customers, or groups within your larger organization. Let's say that:
- Your customer A,B interface is serial 1/0.
- Customer A networks are 192.168.0.0 - 192.168.15.0.
- Customer B networks are 172.18.0.0.
Set up your access list like the following to prevent receiving any invalid IP addresses:
access-list 111 permit ip 192.168.0.0 0.0.15.255 any access-list 111 permit ip 172.18.0.0 0.0.255.255 any access-list 111 deny ip any any log interface serial 1/0 ip access-group 111 in
For more information, see the Cisco site.