Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Preventing Denial-of-Service Attacks

I noticed that some port-scanning activity on our static NAT IPs caused our c3640 gateway router's CPU load reached 100% recently. Network response-time was also naturally affected.

I was wondering if there are any strategies or commands in the IOS firewall feature-set which i could configure in order to prevent this.

I have looked at tcp-intercept and CBAC but these are designed to protect internal hosts/servers and neither of these protect the router itself from attack.

Does anybody have any clues or pointers i could follow?

2 REPLIES
Gold

Re: Preventing Denial-of-Service Attacks

Hello Nene,

You might find the following NSA Router Security Configuration Guide helpful in protecting your router(s). You can download from here:

http://nsa2.www.conxion.com/cisco/download.htm

Hope it helps.

Anonymous
N/A

Re: Preventing Denial-of-Service Attacks

hi...just looked at the URL and whilst it is helpful, i've implemented the majority of its recommendations already. The current problem i have is that i've implemented NAT with static port entries (PAT?) and the port-scanning activity is for ports which do not exist in my configuration. For example, i've mapped ports 25 and 53 but i am being scanned on ports 1 to 65535. TCP intercept would work for connection attempts on 25 and 53 but i am not sure how to reduce the router's overhead due to connection attempts to those ports which do not exist in my NAT

353
Views
0
Helpful
2
Replies
CreatePlease to create content