range (224.0.0.0/4) This ACL is applied inbound to the external interface (e0/0) of router R2. IP Address Spoofing Mitigation: Outbound
As a rule, you should not allow any outbound IP packets with a source address other than a valid IP address of the internal network. The example in Figure shows ACL 105 for router R2. This ACL permits only packets that contain source addresses from the 10.2.1.0/24 network and denies all other packets. This ACL is applied inbound to the inside interface (e0/1) of router R2. Note
Cisco routers running Cisco IOS Release 12.0 and later may use IP Unicast Reverse Path Forwarding (RPF) verification as an alternative IP address spoof mitigation mechanism. DoS TCP SYN Attack Mitigation: Blocking External Access
TCP SYN attacks involve sending large numbers of TCP SYN packets, often from a spoofed source, into the internal network, which results in the flooding of the TCP connection queues of the receiving nodes. The ACL in Figure prevents inbound packets, with the SYN flag set, from entering the router. However, the ACL does allow TCP responses from the outside network for TCP connections that originated on the inside network (keyword established). The established option is used for the TCP protocol only. This option indicates return traffic from an established connection. A match occurs if the TCP datagram has the ACK control bit set. Please note that this ACL effectively blocks all ICMP and UDP traffic, which may include dynamic routing updates. DoS TCP SYN Attack Mitigation: Using TCP Intercept
TCP Intercept is a very effective tool for protecting internal network hosts from external TCP SYN attacks. The example in Figure uses TCP intercept to mitigate DoS TCP SYN attacks. TCP Intercept protects internal hosts from SYN flood attacks by intercepting and validating TCP connection requests before the requests reach the hosts. Valid connections (those connections established within the configured thresholds) are passed on to the host. Invalid connection attempts are dropped. Note
Because TCP Intercept examines every TCP connection attempt, TCP Intercept can impose a performance burden on your routers. Always test for any performance problems before using TCP Intercept in a production environment. DoS Smurf Attack Mitigation
Smurf attacks consist of large numbers of ICMP packets sent to a router subnet broadcast address using a spoofed source IP address from that same subnet. Some routers may be configured to forward these broadcasts to other routers in the protected network, and this process causes performance degradation. The ACL shown in Figure prevents this forwarding process and halts the smurf attack. The ACLs in Figure block all IP packets originating from any host destined for the subnet broadcast addresses specified (10.2.1.255 and 10.1.1.255). Note
Cisco IOS Release 12.0 and later now has the no ip directed-broadcast feature enabled by default, which prevents this type of ICMP attack. Therefore, you may not need to build an ACL as shown here. Filtering Inbound ICMP Messages
There are several ICMP message types that attackers can be use against your network. Programs use some of these messages; others are used for network management and so are automatically generated by the router. ICMP echo packets can be used to discover subnets and hosts on the protected network and can also be used to generate DoS floods. ICMP redirect messages can be used to alter host routing tables. The router should block both ICMP echo and redirect messages that are inbound. The ACL statement shown in Figure blocks all ICMP echo and redirect messages. As an added safety measure, this ACL also blocks mask-request messages. The ACL permits all other ICMP messages inbound to the 10.2.1.0/24 network. Filtering Outbound ICMP Messages
These ICMP messages are required for proper network operation and should be allowed outbound:

• Echo: Allows users to ping external hosts
• Parameter problem: Informs host of packet header problems
• Packet too big: Required for packet maximum transmission unit (MTU) discovery
• Source quench: Throttles down traffic when necessary

As a general rule, you should block all other ICMP message types that are outbound. The ACL shown in Figure permits all of the required ICMP messages inbound to the e0/1 interface while denying all others. Filtering UDP Traceroute Messages
The traceroute feature uses some of the ICMP message types to complete several tasks. Traceroute displays the IP addresses of the routers that a packet encounters along the packet path (hops) from source to destination. Attackers can use ICMP responses to the UDP traceroute packets to discover subnets and hosts on the protected network. As a rule, you should block all inbound traceroute UDP messages, as shown in the image in Figure (UDP ports 33400 to 34400). The example in Figure shows how to filter traceroute messages.

---

Content 5.7 Mitigating Threats and Attacks with Access Lists 5.7.5 Mitigating DDoS with ACLs Figure shows how a DDoS attack occurs:

• Behind a Client is a person who launches the attack.
• A Handler is a compromised host that is running the attacker program. Each Handler is capable of controlling multiple Agents.
• An Agent is a compromised host that is running the attacker program. Each Agent is responsible for generating a stream of packets that is directed toward the intended victim.

Generally, routers cannot prevent all DDoS attacks, but they can help reduce the number of occurrences of attacks by building ACLs that filter known attack ports. Methods that you use to block DDoS by blocking selected ports aim at stopping TRIN00, Stacheldraht, Trinity v3, and SubSeven. ACL rules are generally applied to inbound and outbound traffic between the protected network and the Internet. A DDoS attack can compromise several hundred to several thousand hosts. The hosts are usually Linux and SUN computers. However, the attack tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. A DDoS attack proceeds as follows: Step 1 The attacker initiates a scan phase in which a large number of hosts (perhaps 100,000 or more) are probed for a known vulnerability. Step 2 The attacker compromises the vulnerable hosts to gain access. Step 3 The attacker installs the tool on each host. Step 4 The attacker uses the compromised hosts for more scanning and compromises. Because an automated process is used, attackers can compromise and install the tool on a single host in less than five seconds, and several thousand hosts can be compromised in less than one hour. Mitigate DDoS Using Martian Filters
RFC 2827 recommends that ISPs police their customer traffic by dropping traffic that enters their networks from a source address that the customer network is not legitimately using. The filtering includes, but is not limited to, traffic whose source address is a “Martian address”—a reserved address that includes any address within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4. RFC 3704 is the update to RFC 2827. Figure shows the concept of using Martian filters. The reasoning behind this ingress filtering procedure is that DDoS attacks frequently spoof source addresses of other systems, placing a random number in the field. In some attacks, this random number is deterministically within the target network, simultaneously attacking one or more machines and causing those machines to attack other machines with ICMP messages or other traffic. Attacked sites can protect themselves by proper filtering that occurs by verifying that the site prefixes are not used in source addresses of packets that the site receives from the Internet. In other attacks, the source address is