Hardening Cisco Routers Against TCP SYN Flood Attacks

First, upgrade to at least IOS 11.2(4)

Prevent transmission of invalid IP addresses

Let's say your network is 172.16.0.0, and your outbound interface is serial 0/1.

Set up your access list like the following to prevent transmitting any invalid IP addresses:

access-list  111  permit  172.16.0.0  0.0.255.255  any
access-list  111  deny  ip  any  any  log

interface  serial 0/1
ip  access-group  111  out

Prevent reception of invalid IP addresses

This assumes that you're an ISP or you have that function within your organization. Organizations A and B below are either your customers, or groups within your larger organization. Let's say that:

Your customer A,B interface is serial 1/0.
Customer A networks are 192.168.0.0 - 192.168.15.0.
Customer B networks are 172.18.0.0.

Set up your access list like the following to prevent receiving any invalid IP addresses:

access-list  111  permit  ip  192.168.0.0  0.0.15.255  any
access-list  111  permit  ip  172.18.0.0  0.0.255.255  any
access-list  111  deny  ip  any  any  log

interface  serial  1/0
ip  access-group  111  in

For more information, see the Cisco site.

Back to the main Security page

Back to the main Networking page