Follow these steps to configure an ACL that can be used to protect against TCP SYN DoS attacks.
Procedure
-
Enter global configuration mode.
device# configure terminal
-
Create an extended IP ACL.
device(config)# ip access-list extended acl1
2015/04/01-13:18:15, [SSMD-1400], 2315, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 is created.
The system message is generated when you create an ACL. If you are configuring an existing ACL, no message is generated.
-
Configure the extended ACL to permit TCP traffic from any source to any destination while filtering packets for which the
sync (synchronize) flag is set.
device(conf-ipacl-ext)# permit tcp any any sync
2015/04/01-13:22:16, [SSMD-1404], 2316, SW/device | Active | DCE, INFO, device, IPv4 access list acl1 rule sequence number 10 is added.
-
Return to privileged EXEC mode.
device(conf-ipacl-ext)# end
-
Verify the ACL.
device# show running-config ip access-list extended acl1
ip access-list extended acl1
seq 10 permit tcp any any sync
Protection against TCP SYN attacks - ACL configuration example
device# configure terminal
device(config)# ip access-list extended acl1
device(conf-ipacl-ext)# permit tcp any any sync
device(conf-ipacl-ext)# end
device# show running-config ip access-list extended acl1
