[4310] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: SYN floods continueg

daemon@ATHENA.MIT.EDU (Craig A. Huegen)
Wed Sep 11 17:06:24 1996

Date: Wed, 11 Sep 1996 14:01:35 -0700 (PDT)
From: "Craig A. Huegen" <c-huegen@quad.quadrunner.com>
To: Bruce Robertson <bruce@greatbasin.net>
cc: Avi Freedman <freedman@netaxs.com>, nanog@merit.edu, generous@uucom.com
In-Reply-To: <199609112020.NAA29101@owl.greatbasin.net>

On Wed, 11 Sep 1996, Bruce Robertson wrote:

==>It seems to me that you want something more like this, which is what
==>we have in place:
==>
==>	acc 102 deny ip 198.138.103.0 0.0.0.255 any
==>	...
==>	acc 102 permit any any
==>
==>It seems to work for us.  Please let me know if I'm missing something here!

This works for stopping the spoofing of your own internal hosts from
getting packets into your network.

To stop the problem that's presented here (of packets flowing out of your
network with random IP addresses (as one can do on a Linux-box dial-up)),
you need an outbound filter based on source-address, like the following: 

access-list 102 permit ip 205.166.195.0 0.0.0.255 any
access-list 102 permit ip 205.166.254.0 0.0.0.255 any
interface Serial0
ip access-group 102 out

This will allow packets sourced from hosts in the
205.166.195.0-205.166.195.255 and 205.166.254.0-205.166.254.255 range out,
but other packets will be stopped at that router, including those SYN
floods with random source IP's.

Depending upon your network architecture, the optimal placement of these
lines varies.

/cah

----
Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: chuegen@cisco.com                    c i s c o  S y s t e m s



home help back first fref pref prev next nref lref last post