Router# configure terminal
Router(config)#ip access-list extended webserver10
Router(config-ext-nacl)#deny tcp any host 10.40.100.5 eq telnet
Router(config-ext-nacl)#permit ip any any
You can define ACLs without applying them. However, the ACLs will have no effect until they are applied to the router’s interface. Applying the ACL to the serial0 Interface
Router(config-if)# ip access-group webserver2 in
IP ACLs filter IP traffic destined for SNMP
Simple Network Management Protocol (SNMP) is widely used for router monitoring and configuration changes. If not configured properly, SNMP could provide a wealth of information about the device to intruders running SNMP discovery tools.
Configure the filter which only allows SNMP access to specific hosts.
Router(config)#access-list 20 remark SNMP ACL
Router(config)#access-list 20 permit
Router(config)#access-list 20 deny any log
Configure SNMP to have READ-ONLY access and treat the COMMUNITY string as a password – keep it difficult to guess.
IP ACLs to mitigate the DDOS attack
A DoS attack is designed to deny user access to systems or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, it can be easy to overwhelm that system by running scripts that generate multiple requests. It is possible to greatly increase the magnitude of a DoS attack by launching the attack from multiple systems against a single target. This practice is referred to as a DDoS attack.
Use CAR to rate limit ICMP packets.
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
access-list 2020 permit icmp any any echo-reply
Configure rate limiting for SYN packets.
Router(config)#access-list 152 permit tcp any host eq www
Router(config)#access-list 153 permit tcp any host eq www established
rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop
In the above example, replace:
45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values.
Note; that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.
Verify an IP ACL
Router#sh ip access-lists ?
Access list number
Access list number (expanded range)
WORD Access list name
dynamic List dynamic IP access lists
| Output modifiers