From: Ivan (ivan@iip.net)
Date: Tue Aug 22 2006 - 13:21:10 ART
This example show protect against TCP Syn attack.
Host 10.0.0.1 is victim and swarm TCP halfoopen/open session appear on it. To
defence need to limit SYN-flow.
access-list 103 permit tcp any host 10.0.0.1
At the same time established session don't need to confine.
access-list 103 deny tcp any host 10.0.0.1 established
HTH
> Hi Guys,
>
> Reading today at this link:
>
> http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html#rate_limit_tcp
>_ syn
>
>
>
> I found that maybe the access-list 103 is inversed :S
>
> Or Just I wake up with dyslexia this morning.
>
> With this configuration
>
> access-list 103 deny tcp any host 10.0.0.1 established
> !--- Let established sessions run fine
> access-list 103 permit tcp any host 10.0.0.1
> !--- We are just going to rate limit the initial tcp SYN packet,
> !-- as the other packets in the TCP session would have hit the prior entry
> in the ACL
> interface <interface> <interface #>
> rate-limit input access-group 103 8000 8000 8000 conform-action transmit
> exceed-action drop
>
>
>
> We are going only to rate-limit TCP Traffic if I'm not wrong
>
> I think that the ACL should be only
>
> access-list 103 permit tcp any host 10.0.0.1 established
>
>
>
> Opinions are welcome
>
> Thanks
>
> Victor.-
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- Ivan
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART