Showing results for 
Search instead for 
Did you mean: 

How to prevent an outbound TCP SYN flood attack on the edge router and a subsequent Denial of Service attack from within the network


Core issue

A Denial of Service (DOS) attack is an attack on a computer system or network that causes a loss of service to users or an overload of the computational resources of the victim system. Typically there is a loss of network connectivity and services because the bandwidth of the victim network is consumed. The attack is caused by one of the internal hosts of the network (a host within the customer network) that launches an outbound TCP SYN flood attack that causes the user's own Internet router to hit 100 percent CPU.

This attack affects the edge router with these possible consequences:

  • Router CPU usage can increase abnormally.

  • The router can hang or reboot, or it can display abnormal behavior, which causes the whole traffic to choke.


To prevent the DOS attack from the internal host, perform these steps:

  1. Run a sniffer trace to identify the IP address and MAC address of the internal attacker host. After discovery of these details, refer to IEEE Standards Association to determine the model and manufacturer of the host responsible for the attack.

  2. Issue the show mac-address-table command on the core switch to locate the port through which the host was connected.

  3. Issue the show cdp neighbors command to identify the IP details for the access switch connected to the core switch port.

  4. Issue the show mac-address-table command to identify the port on the access switch to which the host was connected. After the port to which the malicious host was connected is found, shutdown the port.

For more information, refer to General IOS Firewall Documentation. This document is related to the Cisco IOS  Firewall feature set, which can help to dynamically limit the impact of such an attack in the future.

Security Threats and Attacks

Denial of Service (DoS/DDoS)

Content for Community-Ad