The output in Example 7-5 shows a large number of TCP SYN packets, an indication of a potential SYN flood to a
target victim. The only nonattack condition that creates this signature is a massive overload of genuine TCP
connection requests.
Example 7-5. Output of Smurf Target Victim Attack
Router# show ip access-list
Extended IP access list 101
permit tcp any any syn (13174 matches)
permit ip any any (438 matches)
Many features are available that you can use to reduce the impact of SYN floods. The effectiveness of these
features depends on the environment; therefore, you should carefully examine these solutions. Some
techniques available to prevent or minimize the impact of SYN flood attacks include the following:
Rate-limiting (CAR).
Context-Based Access Control (CBAC).
TCP Intercept.
On security appliances such as PIX firewalls, static and nat commands provide an option to monitor and
control half-open embryonic connections. For more details, refer to static command in PIX documentation.
Antispoofing: Do not allow traffic claiming to be sourced from customer IP blocks to ingress from the
uplink or Internet.
Anti-bogon: Do not allow traffic claiming to be sourced from reserved addresses or from an IPv4 block
that has yet to be allocated by the Internet Assigned Numbers Authority (IANA).
Pages:
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364