RE: Smurf attack question

From: Jongsoo.Kim@Intelsat.com
Date: Thu Mar 03 2005 - 14:39:31 GMT-3

• Next message: marvin greenlee: "RE: ISIS Full mesh adjiacency [bcc][faked-from][bayes]"
• Previous message: marvin greenlee: "RE: Smurf attack question [bcc][faked-from]"
• Maybe in reply to: Jongsoo.Kim@Intelsat.com: "Smurf attack question"
• Next in thread: Zack Damen: "RE: Smurf attack question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I understand that.

Attacker can send packets to many subnets with the same source address.
This source address is the final target not hosts on the subnets. ( I
believe these subnets are called smurf amplifier ?)
Because all the hosts replies will go to this source address, which is the
destination address on reply packet.
This will saturate any link on the path.

So my question is when the question say "router under smurf attack", does it
mean smurf amplifer or smurf's final target?

Maybe you can explain from here.

Thanks

Jongsoo

-----Original Message-----
From: Tony Schaffran [mailto:groupstudy@cconlinelabs.com]
Sent: Thursday, 03 March, 2005 12:31 PM
To: Kim, Jongsoo; ccielab@groupstudy.com
Subject: RE: Smurf attack question

If you understand exactly what a SMURF attack is and how it works, it is
pretty simple how to stop it.

There is no single destination. The ping is to the broadcast address. All
hosts in the subnet will reply.

Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jongsoo.Kim@Intelsat.com
Sent: Thursday, March 03, 2005 9:06 AM
To: ccielab@groupstudy.com
Subject: Smurf attack question

What will be the best method to protect smurf attack?
Let's say R6 has S0/0 and F0/0.
Smurf attack is coming from S0/0.

The confusion is R6 is smurf amplifier or smurf attack's destination ?
If R6 is onesmurf attack amplifier, then I am guessing "no ip
directed-broadcast" is needed in S0/0.
I have no clue if R6 is a smurf attack's destination. I image there will be
a lot of ICMP packet flood.

Please help me to explain this to me?

Regards
  
Jongsoo

############################################################

Building on 40 Years of Leadership - As a global communications leader with
40 years of experience, Intelsat helps service providers,
broadcasters, corporations and governments deliver information and
entertainment anywhere in the world, instantly, securely and reliably.

############################################################
This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and
destroy all copies of the original message. Any views
expressed in this message are those of the individual
sender, except where the sender specifically states them
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################

• Next message: marvin greenlee: "RE: ISIS Full mesh adjiacency [bcc][faked-from][bayes]"
• Previous message: marvin greenlee: "RE: Smurf attack question [bcc][faked-from]"
• Maybe in reply to: Jongsoo.Kim@Intelsat.com: "Smurf attack question"
• Next in thread: Zack Damen: "RE: Smurf attack question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3