Configuring use case 2: Protection against TCP RST attacks

Follow these steps to configure an ACL that can be used to protect against TCP RST DoS attacks.

Procedure

  1. Enter global configuration mode.
    device# configure terminal
    
  2. Create or invoke an extended IP ACL.
    device(config)# ip access-list extended acl1
    2015/04/01-13:18:15, [SSMD-1400], 2315, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
    
    The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
  3. Configure the extended ACL to permit TCP traffic from any source to any destination while filtering packets for which the rst flag is set.
    device(conf-ipacl-ext)# permit tcp any any rst
    2015/04/01-13:22:16, [SSMD-1404], 2316, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
    
  4. Return to privileged EXEC mode.
    device(conf-ipacl-ext)# end
    
  5. Verify the ACL.
    device# show running-config ip access-list extended acl1
    ip access-list extended acl1
     seq 10 permit tcp any any rst
    

Protection against TCP RST attacks - ACL configuration example

device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any rst
device(conf-ipacl-ext)# exit
device# show running-config ip access-list extended acl1