Cisco - Denial of Service (DoS)

For Inbound Traffic (or packets coming from the Internet).

Use an access-list.

Example: I have a router with two (2) Ethernet interfaces. I want to protect the network in Fa0/1 with network address of 142.2.6.0, where Fa0/0 is directly connected to the Internet.

Solution: Do not allow any inbound IP packet that contains the IP address from the intended network (142.2.6.0), local host address (127.0.0.1), and the link-level DHCP default address (169.254.0.0)

Here's how:

access-list 100 deny ip 142.2.6.0 0.0.0.255 any log

access-list 100 deny ip 127.0.0.1 0.255.255.255 any log

access-list 100 deny ip 10.0.0.0 0.255.255.255 any log

access-list 100 deny ip 172.16.0.0 0.15.255.255 any log

access-list 100 deny ip 192.168.0.0 0.0.255.255 any log

access-list 100 deny ip 169.254.0.0 0.0.255.255 any log

access-list 100 permit ip any 142.2.6.0 0.0.0.255

Then apply it to fa0/0 inbound:

Router(config)#int fa0/0

Router(config-if)#ip access-group 100 in