[4299] in North American Network Operators' Group
Re: SYN floods continueg
daemon@ATHENA.MIT.EDU (Avi Freedman)
Wed Sep 11 14:31:21 1996
From: Avi Freedman <freedman@netaxs.com>
To: generous@uucom.com (Curtis Generous)
Date: Wed, 11 Sep 1996 14:26:50 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <199609111816.OAA20185@rolex.uucom.com> from "Curtis Generous" at Sep 11, 96 02:16:18 pm
> Could you provide sample CISCO syntax ACL filters to perform the above?
> I'm not clear how you filter out these kind of attacks.
> Thanks,
>
> --curtis
This is actually an incoming filter...
'sho access-list 102' shows you counts on hits for each line;
pretty interesting, actually.
Each line says permit any kind of ip data from anywhere, from any IP
address, to the network specified.
For an outgoing filter you'd reverse it so it looked like
'acc 102 permit ip <our-net> <inverted-mask> any'.
no acc 102
acc 102 permit ip any 198.138.103.0 0.0.0.255
acc 102 permit ip any 205.199.164.0 0.0.0.255
acc 102 permit ip any 204.193.157.0 0.0.0.255
acc 102 permit ip any 199.171.193.0 0.0.0.255
acc 102 permit ip any 199.67.58.0 0.0.0.255
acc 102 permit ip any 205.160.86.0 0.0.0.255
acc 102 permit ip any 192.135.189.0 0.0.0.255
acc 102 permit ip any 198.133.170.0 0.0.0.255
! not all of these are /16s, I was just lazy yesterday
! eventually the 0.0.0.255.255s should become more specific
acc 102 permit ip any 206.42.0.0 0.0.255.255
acc 102 permit ip any 137.239.0.0 0.0.255.255
acc 102 permit ip any 198.69.0.0 0.0.255.255
acc 102 permit ip any 206.161.0.0 0.0.255.255
acc 102 permit ip any 205.164.128.0 0.0.255.255
acc 102 permit ip any 170.115.0.0 0.0.255.255
acc 102 permit ip any 207.106.0.0 0.0.255.255
acc 102 permit ip any 199.234.208.0 0.0.255.255
acc 102 permit ip any 207.8.128.0 0.0.255.255
acc 102 permit ip any 192.157.69.47 0.0.0.0
acc 102 permit ip any 192.41.177.87 0.0.0.0
! acc 102 permit ip any 198.32.136.82 0.0.0.0
acc 102 deny ip any any
Avi