Follow these steps to configure an ACL that can be used to protect against TCP RST DoS attacks.
Procedure
-
Enter global configuration mode.
device# configure terminal
-
Create or invoke an extended IP ACL.
device(config)# ip access-list extended acl1
2015/04/01-13:18:15, [SSMD-1400], 2315, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
-
Configure the extended ACL to permit TCP traffic from any source to any destination while filtering packets for which the
rst flag is set.
device(conf-ipacl-ext)# permit tcp any any rst
2015/04/01-13:22:16, [SSMD-1404], 2316, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
-
Return to privileged EXEC mode.
device(conf-ipacl-ext)# end
-
Verify the ACL.
device# show running-config ip access-list extended acl1
ip access-list extended acl1
seq 10 permit tcp any any rst
Protection against TCP RST attacks - ACL configuration example
device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any rst
device(conf-ipacl-ext)# exit
device# show running-config ip access-list extended acl1
