In some cases, a classification ACL can also have any source and the destination IP address
using the keyword any in the ACL. This type of ACL is useful in classifying and categorizing a denial-of-service
(DoS) attack and identifying the type of traffic and its source. Logging can be used to develop a list of source
addresses that match the protocol permit statements. A last line permitting ip any any is required to permit all
other traffic flow.
Example 2-8 shows a sample ACL that characterizes a suspected DoS attack. The first line checks for possible
ICMP Smurf attacks. The second line checks for any sort of TCP SYN attack. The third, fourth, and fifth lines
check for any sort of fragment attack. Finally, the last four lines check for general protocol types. This ACL is a
very basic generic example and can be configured for virtually any protocol, ports, flags, and so on in a
classification ACL.
Example 2-8. Example of DoS Characterization ACL
access-list 101 permit icmp any any eq echo
access-list 101 permit tcp any any syn
access-list 101 permit tcp any any fragment
access-list 101 permit udp any any fragment
access-list 101 permit ip any any fragment
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 101 permit ip any any
After applying this ACL on the suspected ingress interface, enter the show access-list command repeatedly
and check for the line that shows the highest hit counts, indicating the possible cause of the attack.
Pages:
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108