RE: Smurf Attack

From: Peng Zheng (zpnist@yahoo.com)
Date: Fri Sep 12 2003 - 13:39:08 GMT-3

• Next message: ccie2be: "VTP and ISL and 802.1q trunks"
• Previous message: Charles Church: "RE: VTP and bridged interfaces on routers"
• Maybe in reply to: Peng Zheng: "Smurf Attack"
• Next in thread: Paul Borghese: "RE: Smurf Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks all all reply.

--- Jay Hennigan <jay@west.net> wrote:
> On Fri, 12 Sep 2003, Paul Borghese wrote:
>
> > It should be place on the serial interface that
> connects your network to the
> > internet.
>
> I don't believe this to be the case. The "no ip
> directed-broadcast"
> command prevents traffic directed to the specific
> network broadcast
> address from being sent out an interface. As a
> smurf amplifier is
> used to generate a large number of ICMP replies to a
> spoofed source,
> the vulnerable interface would not be the serial
> interface of the router
> which has only one host, the router itself. A
> directed broadcast
> to an ethernet address with many machines on the
> same subnet would
> be a much more effective smurf amplifier. The
> original question was
> whether the "no ip directed-broadcast" command
> should be applied to
> all interfaces or just the ethernet interfaces. I
> would answer that
> it should be applied to all interfaces, but that the
> importance with
> regard to smurf attacks is greater on those
> interfaces with multiple
> hosts on the directly-connected networks, the
> ethernet interfaces.
>
> See RFC 919 and RFC 922 for more on IP specific
> network broadcasts.
> Of historical note, the broadcast address in early
> IP implementations
> was the all-zeros address with some vendors as
> opposed to the all-ones
> standard today.
>
> > I believe with 12.x or later, this is the default
> configuration
> > for serial interfaces.
>
> I think it's default for all interfaces at least
> since 12.0.
>
> > To: ccielab@groupstudy.com
> > Subject: Smurf Attack
> >
> > When asked to prevent Smurf Attack, should I
> disable
> > ip directed-broadcast on all interface or only
> > ethernet interface?
>
> --
> Jay Hennigan - CCIE #7880 - Network Administration -
> jay@west.net
> WestNet: Connecting you to the planet. 805
> 884-6323 WB6RDV
> NetLojix Communications, Inc. -
> http://www.netlojix.com/
>
>
>

• Next message: ccie2be: "VTP and ISL and 802.1q trunks"
• Previous message: Charles Church: "RE: VTP and bridged interfaces on routers"
• Maybe in reply to: Peng Zheng: "Smurf Attack"
• Next in thread: Paul Borghese: "RE: Smurf Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:27 GMT-3