Mitigating SYN Attacks
One common type of network attack is the half-open SYN attack. This is a
DoS attack in which the attacker sends a large quantity of TCP SYN
messages to a host without ever completing the three-way TCP handshake.
This attack can result in the depletion of memory resources on the host. The
most flexible way to mitigate this attack is to use the Cisco IOS Firewall
feature set. The following subsections identify two other ways to mitigate
half-open SYN attacks.
Using the established Keyword in ACLs
The established keyword in a TCP-based ACL entry permits only packets
that have the TCP ACK bit set to pass the ACL entry. Example 5-5 demonstrates
this.
Example 5-5 Using the established Keyword
R2(config)#access-list 150 permit tcp any any established
R2(config)#interface serial 1/0/0
R2(config-if)#ip access-group 150 in
Using TCP Intercept
The TCP Intercept feature permits half-open SYN connections only within
configurable thresholds. Half-open SYN connections outside these thresholds
are dropped. Example 5-6 demonstrates this.
Example 5-6 Using TCP Intercept
R2(config)#ip tcp intercept list 150
R2(config)#access-list 150 permit tcp any 10.1.1.0 255.255.255.0
R2(config)#interface serial 2/0/0
R2(config-if)#ip access-group 150 in
ACL Caveats
Remember the following caveats when configuring ACLs:
■ Implicit deny any—All ACLs have an implicit deny any statement at
the end. It is not displayed in the configuration. Any traffic not explicitly
permitted is implicitly denied.
■ Evaluation order—ACLs are evaluated from the top down, in order.
Be sure not to place a statement at the top of the ACL that negates a
later statement. Place the most specific statements at the top of the ACL.
■ ACL direction—Inbound ACLs affect packets that are moving toward
the interface. Outbound ACLs affect packets that are moving away
from the interface. It can be easy to confuse these, especially on VLAN
interfaces