Cisco 3560 ACL and Syn Protect

We have added the given acl to our cisco 3560 router


Extended IP access list 103
    10 permit tcp any host 77.223.156.156 eq www log (136803 matches)
    20 permit tcp any host 77.223.156.156 eq ftp log
    30 permit tcp any host 77.223.156.156 eq telnet log
    40 permit tcp any host 77.223.156.156 eq pop3 log
    50 permit tcp any host 77.223.156.156 eq smtp log
    60 permit tcp any host 77.223.156.156 eq 443 log
    70 permit tcp any host 77.223.156.156 eq 3389 log (2508 matches)
    80 permit tcp any host 77.223.156.156 eq domain log
    90 permit udp any host 77.223.156.156 eq domain log (68 matches)
    100 deny ip any host 77.223.156.156 log (5633 matches)
    110 permit ip any any (24 matches)


and as you should see there is a high match of www port and if we check it deeply ,
it seems as a ddos or botnet. should i protect the machine from the router for syn ?
you will see multiple same ip address.




Log Buffer (4096 bytes):
178.218.225.229(45309) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:05.610: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 210.243.157.250(49073) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:06.617: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(38050) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:07.624: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47457) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:08.639: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.52.126(51286) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:09.645: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(46925) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:10.652: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36473) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:11.667: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 178.218.225.229(45423) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:12.674: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.51.107.34(48246) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:13.722: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36519) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:14.729: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.46.151.59(43061) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:15.735: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.52.126(51314) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:16.750: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(59450) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:17.757: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.231.97(33249) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:18.764: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(36565) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:19.770: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(44337) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:20.777: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47386) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:21.800: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.46.151.59(43094) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:22.824: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 203.128.91.218(60787) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:23.830: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.148.93(58391) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:24.854: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 222.124.5.82(56125) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:25.877: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.97.18.250(60742) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:26.901: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40721) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:27.907: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 46.42.4.138(59687) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:28.914: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 110.138.215.6(47587) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:29.929: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.46.7(42925) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:30.936: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40633) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:31.942: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 91.102.162.246(39821) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:32.949: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 202.43.161.6(55527) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:33.955: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(40837) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:34.962: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(37003) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:35.977: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.98.35.251(41153) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:36.984: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 178.218.225.229(45826) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:37.999: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.99.71.78(37046) -> 77.223.156.156(80), 1 packet
*Mar 22 14:12:39.014: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 118.96.123.8(45272) -> 77.223.156.156(80), 1 packet

Open in new window

3XLcomAsked:
Who is Participating?
 
SouljaConnect With a Mentor Commented:
Looks like it must be a router feature and not a layer 3 switch feature for Cisco. Another reason to add to the list of why l3 switches shouldn't be placed on the internet edge. Sorry man, but you need some type of firewalling. An acl just isn't enough these days.
0
 
SouljaCommented:
Try:

conf t
ip tcp intercept list 103

see if that changes anything.
0
 
3XLcomAuthor Commented:
Cisco.xxxx.Com.xx(config)#ip tcp int?
% Unrecognized command


intercept is not a valid command for 3560 routers :(
0
 
3XLcomAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.