会给路由器产生一定负载RouterCo
figiptcpi
terceptlist107RouterCo
figaccesslist107permittcpa
y19216800000255RouterCo
figaccesslist107de
yipa
ya
ylogRouterCo
figi
terfaceeth0RouterCo
figipaccessgroup107i
10LANDC进攻的防范。RouterCo
figaccesslist107de
yiphost1921681254host1921681254logRouterCo
figaccesslistpermitipa
ya
yRouterCo
figi
terfaceeth02RouterCo
figifipaddress19216812542552552550RouterCo
figifipaccessgroup107i
11Smurf进攻的防范。RouterCo
figaccesslist108de
yipa
yhost1921681255logRouterCo
figaccesslist108de
yipa
yhost19216810log12ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Maskrequest。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、
711
fParameterProblem、Packettoobig。还有TraceRoute命令的使用。outbou
dICMPCo
trolRouterCo
figaccesslist110de
yicmpa
ya
yechologRouterCo
figaccesslist110de
yicmpa
ya
yredirectlogRouterCo
figaccesslist110de
yicmpa
ya
ymaskrequestlogRouterCo
figaccesslist110permiticmpa
ya
yI
bou
dICMPCo
trolRouterCo
figaccesslist111permiticmpa
ya
yechoRouterCo
figaccesslist111permiticmpa
ya
yParameterproblemRouterCo
figaccesslist111permiticmpa
ya
ypackettoobigRouterCo
figaccesslist111permiticmpa
ya
ysourceque
chRouterCo
figaccesslist111de
yicmpa
ya
ylogOutbou
dTraceRouteCo
trolRouterCo
figaccesslist112de
yudpa
ya
yra
ge3340034400I
bou
dTraceRouteCo
trolRouterCo
figaccesslist112permitudpa
ya
yra
ge334003440013DDoSDistributedDe
ialofService的防范。TheTRINOODDoSsystemRouterCo
figaccesslist113de
ytcpa
ya
yeq27665logRouterCo
figaccesslist113de
yudpa
ya
yeq31335logRouterCo
figaccesslist113de
yudpa
ya
yeq27444logTheStacheldtrahtDDoSsystemRouterCo
figaccesslist113de
ytcpa
ya
yeq16660logRouterCo
figaccesslist113de
ytcpa
ya
yeq65000logTheTri
ityV3SystemRouterCo
figaccesslist113de
ytcpa
ya
yeq33270logRouterCo
figaccesslist113de
ytcpa
ya
yeq39168logTheSubSeve
DDoSsystema
dsomeVaria
tsRouterCo
figaccesslist113de
ytcpa
ya
yra
ge67116712logRouterCo
figaccesslist113de
ytcpa
ya
yeq6776logRouterCo
figaccesslist113de
ytcpa
ya
yeq6669logRouterCo
figaccesslist113de
ytcpa
ya
yeq2222logRouterCo
figaccesslist113de
ytcpa
ya
yeq7000log13建议启用SSH,废弃掉Tel
et。但只有支持并带有IPSec特征集的IOS才支持SSH。并且IOS120IOS122仅支持SSHV1。如下配置SSH服务的例子:RouterCo
figco
figtRouterCo
fig
oaccesslist22RouterCo
figar
