RE: Question about the ICMP attack

From: Evgeny Tantsura (ivgen@castel.nl)
Date: Mon Feb 24 2003 - 17:59:44 GMT-3

• Next message: Catcat2608@aol.com: "3550 and 2950 switch"
• Previous message: Joe Chang: "ATM: ABR and UBR CLP?"
• Maybe in reply to: Tony Kwok: "Question about the ICMP attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rate Limiting for ICMP/Smurf
Configure the following access-lists:

access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply

interface <interface> <interface #>
  rate-limit input access-group 102 256000 8000 8000 conform-action
  transmit exceed-action drop

In order to enable CAR, CEF must be enabled on the box, and the interface
configured for CAR must be a CEF-switched interface.

The bandwidth values used above are for DS3 type bandwidths. Values should
be picked based on the interface bandwidth and the rate at which you want
to limit a traffic type. For smaller ingress interfaces, you may wish to
configure lower rates.

> You can slowdown ICMP flood by implementing CAR
on ingress interface
> And you should understand if the attacker flood you hi will use spoofed
> IP address. If the attacker host has more bandwidth then you can only
> ask your upstream provider to implement ICMP traffic reduction (CAR).
> The same protection scenario you can implement to UDP flood.
>
> Regards
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony Kwok
> Sent: Monday, February 24, 2003 7:14 AM
> To: ccielab@groupstudy.com
> Subject: Question about the ICMP attack
>
> Dear all,
>
> I have the following case. Pls suggest the solution.
>
> Supposing that one of my network interface is
> attacking by ICMP and I would like to pick those guys
> out by knowing their address. In addition, is there
> any method to identity which one is the most frequency
> attack to this interface?
>
> In my idea, I think the Netflow will be suitable
> solution. But I find netflow cannot show up the path
> for the ICMP and also it need to export the data out
> to other server. Pls correct me if I have any
> overlook. Thx.
>
> Regards,
> Tony
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
>

With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------

• Next message: Catcat2608@aol.com: "3550 and 2950 switch"
• Previous message: Joe Chang: "ATM: ABR and UBR CLP?"
• Maybe in reply to: Tony Kwok: "Question about the ICMP attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:34 GMT-3