B:通过TCP截取防范。(这会给路由器产生一定负载)$ f, b/ G9 L) M7 y
Router(Config)# ip tcp intercept list 107
7 W- R1 K) q. k9 D. H Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.2552 d7 @9 _7 u, Y4 T0 g. d' H: h
Router(Config)# access-list 107 deny ip any any% |2 E2 e! _, w: a4 x( t
Router(Config)# interface eth0 y4 r2 p* R( K5 u9 J7 J) m: F0 W2 u- Q
Router(Config)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;3、 LAND.C 进攻的防范。3 \- |9 K0 j& Y; ?. f9 d
Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254
0 D' p8 p/ }; d2 b Router(Config)# access-list 107 permit ip any any+ k6 u' ]% X& Z/ b) ] W
Router(Config)# interface eth 0/28 t1 g: X" e$ J
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
8 ?4 O% B4 U) U; A, {; g2 n# z Router(Config-if)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;4、 Smurf进攻的防范。
6 d( j+ v% Z1 {- ~ Router(Config)# access-list 108 deny ip any host 192.168.1.255
" h- @; H. a( E. L; j4 R Router(Config)# access-list 108 deny ip any host 192.168.1.0
2 h% _0 M5 }+ p/ k7 Y$ m; b8 e Router(Config)# access-list 108 permit ip any any
3 v# x9 B! E9 ]0 N" m. W% a9 c Router(Config-if)# ip access-group 108 in
7 e. [3 \5 ]5 V/ O" p; W+ n& u- N6 q 5、 ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Mask request。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、Parameter Problem、Packet too big。还有TraceRoute命令的使用。
: B s6 a5 Q3 p% h3 Z ! outbound ICMP Control5 {8 X/ r7 q& V! J. A
Router(Config)# access-list 110 deny icmp any any echo& O* i# Z8 U; a/ a& L% @$ y
Router(Config)# access-list 110 deny icmp any any redirect+ h; ~, H0 H' P, j
Router(Config)# access-list 110 deny icmp any any mask-request7 O& d, a5 Z1 c
Router(Config)# access-list 110 permit icmp any any
8 s$ }. K9 O9 T4 q; q1 h- ] ! Inbound ICMP Control% \ [1 s# b9 D( q5 T8 ^1 f* n
Router(Config)# access-list 111 permit icmp any any echo- z" |) ~. [* [7 ^/ i) a
Router(Config)# access-list 111 permit icmp any any Parameter-problem
k* a# u% Z4 J$ f Router(Config)# access-list 111 permit icmp any any packet-too-big7 w$ l6 u/ J6 Q" Z- C5 B
Router(Config)# access-list 111 permit icmp any any source-quench
# Z2 v: B: R9 m& W- r5 S6 Z Router(Config)# access-list 111 deny icmp any any
; b4 e6 ]' w1 O) R5 P ! Outbound TraceRoute Control
/ W) @% k) O$ g- D9 `- k Router(Config)# access-list 112 deny udp any any range 33400 34400
U7 T+ q& q2 s$ h& O( [ ! Inbound TraceRoute Control
! K0 N% m2 z. Q7 ^3 M Router(Config)# access-list 112 permit udp any any range 33400 34400 %26lt;/P%26gt;%26lt;P%26gt;
; U. E. }0 x- j9 X' u' p7 M$ [3 n* | 6、 DDoS(Distributed Denial of Service)的防范。; Z* A6 M4 T2 M
! The TRINOO DDoS system0 K8 v3 k5 d- R9 E2 N" z& |2 ?5 T
Router(Config)# access-list 113 deny tcp any any eq 27665 </p> Router(Config)# access-list 113 deny udp any any eq 31335
' [% ]+ q I6 Y; ^7 |( p5 ~/ U5 J Router(Config)# access-list 113 deny udp any any eq 27444
! H8 H3 J6 C, W* j( N4 l$ V( I+ _# j ! The Stacheldtraht DDoS system+ W* d) `& x! E) g* t- G
Router(Config)# access-list 113 deny tcp any any eq 16660
, C* m' }3 S, S% s* `. z0 L Router(Config)# access-list 113 deny tcp any any eq 65000
4 T9 y! u+ O k: Q Z ! The TrinityV3 System
. E: k1 \8 K7 v- Y Router(Config)# access-list 113 deny tcp any any eq 33270
* w, F& ]* |" I8 ?% f9 ?1 c Router(Config)# access-list 113 deny tcp any any eq 391684 P7 @, Q- T# N8 _! J5 m1 E
! The SubSeven DDoS system and some Variants
4 r% @0 X: X2 v Router(Config)# access-list 113 deny tcp any any range 6711 6712: z2 Y( l( o. b
Router(Config)# access-list 113 deny tcp any any eq 6776
; o( Q7 ^* y# b: l! R. H Router(Config)# access-list 113 deny tcp any any eq 6669' [8 P! c$ C/ u! P9 L; J( B
Router(Config)# access-list 113 deny tcp any any eq 22228 t% J1 U( O5 h! w$ M6 s
Router(Config)# access-list 113 deny tcp any any eq 7000
+ F m T( W- @) Y5 R5 A4 b& Z# f Router(Config)# access-list 113 permit ip any any4 X5 t1 ]2 s+ _, @+ R
Router(Config-if)# ip access-group 113 in
0 c4 h0 L7 a! h/ ] Q6 t 7、 Sql蠕虫的防范' N$ ]7 A6 r. ~, X0 `# T
Router(Config)# access-list 114 deny udp any any eq 1434
8 O3 A# h: ]! J9 ]7 i7 R Router(Config)# access-list 114 permit ip any any
6 Y I! F+ [: m* J1 [* B Router(Config-if)# ip access-group 114 in |