Cisco Routers are cool but i have been finding a few issues with DDOS attacks of late. Mainly DNS and NTP.
DNS DDOS
access-list 153 remark Block DOS DNS
access-list 153 permit ip host 202.62.147.50 any – Replace this with the DNS server your using
access-list 153 deny tcp any any eq domain
access-list 153 deny udp any any eq domain
access-list 153 permit ip any any
Then add
!
interface Dialer0 – your dialer interface
ip access-group 153 in
NTP DDOS
! Core NTP configuration ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s) ntp server 192.0.2.1 ! a time server you sync with ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible ! ! NTP access control ntp access-group query-only 1 ! deny all NTP control queries ntp access-group serve 1 ! deny all NTP time and control queries by default ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients ! ! access control lists (ACLs) access-list 1 remark utility ACL to block everything access-list 1 deny any ! access-list 10 remark NTP peers/servers we sync to/with access-list 10 permit 192.0.2.1 access-list 10 permit 192.0.2.2 access-list 10 deny any ! access-list 20 remark Hosts/Networks we allow to get time from us access-list 20 permit 192.0.2.0 0.0.0.255 access-list 20 deny any
Taken from http://www.team-cymru.org/secure-ntp-template.html
