Ends Today! iPad Pro w/ Smart Keyboard, $400 Off, or ASUS Chromebook w/ Online Training!

DoS Step-by-Step: Cisco Anti-Spoof Egress Filtering


Revision: 1.9 - Date: 2006/05/10 16:32:54 GMT

In order to help prevent customer networks from being used in denial of service (DoS) attacks, the following access list should be in place on customer routers. The access list needs to be placed outbound on the Interface that connects to the ISP.

access-list xxx permit ip  (customer network/netmask) any
access-list xxx deny ip any any

This access list would prevent packets being sent from a customer network with any IP address other than their network.

For customers that have more than one connection to the internet, this would be applied outbound on any interface connected to the Internet.

Placing the ACL on interfaces toward the internet. In the following example the link to the internet is Serial0.1.

external-gw#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Ethernet0              192.168.2.1     YES NVRAM  up                    up
Serial0                unassigned      YES unset  up                    up
Serial0.1              192.168.1.1     YES unset  up                    up
Serial1                unassigned      YES unset  down                  down
external-gw#

The network is 192.168.1.0 255.255.255.0. We want to create an access list that will permit traffic from any host within the 192.168.1.0/24 network and drop all other traffic.

First you want to make sure the access-list we will be using is not already being used:

external-gw#sh access-list 150
external-gw#

If there was an access list it would have shown up here. Now we want to make sure that the serial interface does not have an access-list applied outbound.

external-gw#show ip interface serial0.1
Serial0.1 is up, line protocol is up
  .
  .
  .
  Outgoing access list is not set
  .
  .
  .
external-gw#

You should see the line "Outgoing access list is not set". If not, you already have an outbound access list, and you will need to see your firewall administer for help. If you do not have an existing outbound access list, then you can now create access-list 150 and apply it outbound on the interface connected to the ISP (in this example it is serial0.1).

external-gw#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
external-gw(config)#access-list 150 permit ip 192.168.1.0 0.0.0.255 any
external-gw(config)#access-list 150 deny ip any any log
external-gw(config)#interface serial0.1
external-gw(config-subif)#ip access-group 150 out
external-gw(config-subif)#^Z
external-gw#write
Building configuration...
[OK]
external-gw#

After the access list is applied to the interface, the command "show ip access-list <list>" will display counters for each access expression. Confirm that the counter for the expression to pass your address block is incrementing.

If it is necessary to remove the access list due to an error, use the interface command "no ip access-group out" to remove it and confirm with "show ip int <interface>".

Never change the access lists on the router interface you are using to configure the router. Either remove the access-group first, or configure the router via the serial console interface. If you do not remove the access-group from the interface first, you will cause a momentary outage while installing the new access list and may disable all traffic through the interface if you make an error.