CCIE Security Practice Labs

Section 8.0: Advanced Security

8.1. Perimeter Security

Configure ACL to deny TCP/53 with a SYN flag to prevent such an attack, as demonstrated in the example following item 2.

Permit any DNS request originating from VLAN2:

hostname r2
!
interface Serial0
 ip address 179.7.2.2 255.255.255.248
 ip access-group 199 in
!
access-list 199 permit tcp any any eq domain established
access-list 199 deny   tcp any any eq domain syn
access-list 199 permit ip any any
!


! Verify by telnetting from R3 to R2 on port 53
r3#telnet 179.7.2.2 53
Trying 179.7.2.2, 53 ...
% Destination unreachable; gateway or host down

r3#

! Check ACL counters on R2
r2#show access-lists 199
Extended IP access list 199
    permit tcp any any eq domain established
    deny tcp any any eq domain ...

Get CCIE Security Practice Labs now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

CCIE Security Practice Labs by Fahim Hussain Yusuf Bhaiji

Section 8.0: Advanced Security

8.1. Perimeter Security

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly