Configuring Access Control Lists 639
A Consolidated DoS Example
This example includes some ACL rules to consider to reduce DoS attacks on
the switch. It does not represent a complete DoS suite. A firewall with deep
packet inspection capabilities should be used for true DoS protection.
ip access-list reduce-dos-attacks
!
! Rate limit echo requests
!
permit icmp any any icmp-message echo rate-limit 32 64
!
! Deny telnet and rate-limit SSH to the CPU
!
deny tcp any any eq telnet flag established
permit tcp any any eq 22 flag established rate-limit 1024 128
deny tcp any any eq telnet
permit tcp any any eq 22 rate-limit 12 2
!
! Rate limit TCP opens
!
permit tcp any any flag +syn rate-limit 8 2
!
! Rate limit TCP closes
!
permit tcp any any flag +fin rate-limit 8 2
!
! Block TCP/UDP/IP frag attacks
!
deny ip any any fragments
!
! Limit SNMP (should set source address to management stations)
! Must be tuned for SNMP walks. May need to adjust the SNMP client
! retry count or timeout.
!
permit udp any any eq snmp rate-limit 1024 128
!
! Allow other traffic types to come to CPU
!
permit every
exit
ip access-group reduce-dos-attacks control-plane
!
NOTE: The rate limits below should be adjusted to match the expected rates of
traffic coming to the CPU.
To Next Page
Loading...
