A DoS Characterization Access List
Picture a router with two interfaces. Ethernet 0 is connected to an
internal LAN at a business or small ISP. Serial 0 provides an Internet
connection via an upstream ISP. The input packet rate on serial 0 is "pegged"
at the full link bandwidth, and hosts on the LAN run slowly, crash, hang, or
show other signs of a DoS attack. The small site at which the router connects
has no network analyzer, and the people there have little or no experience in
reading analyzer traces even if the traces are available.
Now, assume that you apply an access list as this output shows:
access-list 169 permit icmp any any echo
access-list 169 permit icmp any any echo-reply
access-list 169 permit udp any any eq echo
access-list 169 permit udp any eq echo any
access-list 169 permit tcp any any established
access-list 169 permit tcp any any
access-list 169 permit ip any any
interface serial 0
ip access-group 169 in
This list does not filter out any traffic at all; all the entries are
permits. However, because it categorizes packets in useful ways, the list can
be used to tentatively diagnose all three types of attacks: smurf, SYN floods,
and fraggle. Источник: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml
