Re: smurf attack

From: Jamie Caesar (jamie.caesar@gmail.com)
Date: Thu May 12 2005 - 11:22:05 GMT-3

• Next message: Oliver Grenham: "Re: smurf attack"
• Previous message: Brian Dennis: "RE: ISIS over Frame Relay"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: Oliver Grenham: "Re: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd think "no ip directed-broadcast" would be more effective, since
the smurf attack abuses directed broadcast pings to flood the target
host.

I don't see "ip verify unicast reverse-path" helping in this situation because

1) If you are receiving directed broadcasts you aren't the target, but
being used to attack the victim. In this case the source address of
the directed broadcast ping is spoofed to be the victim which is a
valid Internet host.

2) If you are the victim of this attack, the attack is being "proxied"
off other valid Internet networks, in which case, the traffic will
also be coming in the correct interface.

RPF will only prevent traffic being sourced from IPs that should be
inside your network from trying to enter from the outside.

I would also be very careful when implementing this feature on your
border routers. Whenever you get into the having multiple paths to
the same destination (i.e. 2 routers each with an Internet
connection), there is the possibility of asymmetric routing. If your
route table show that traffic should leave through Router B, and the
packet arrives via Router A, the traffic will be dropped by RPF.

On 5/12/05, Keane, James <James.Keane@agriculture.gov.ie> wrote:
> Did you get a positive resolution on this ?
>
> Which is better to use in the prevention of the smurf attack ?
>
> ip verify unicast reverse-path
>
> or
>
> no ip directed-broadcasts
>
> or both ?
>
> -----Original Message-----
> From: mani poopal [mailto:mani_ccie@yahoo.com]
> Sent: 10 May 2005 12:01
> To: Tony Schaffran; 'Security Candidate'; ccielab@groupstudy.com
> Subject: RE: smurf attack
>
> Hi Tony,
>
> I got it, thanks
>
> Mani
>
> Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
> The other way to stop the smurf attack from passing through your router if
> the address is not in the routing table is to use no ip directed-broadcasts.
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tony
> Schaffran
> Sent: Monday, May 09, 2005 8:59 PM
> To: 'Security Candidate'; 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: smurf attack
>
> I guess we would need more information here.
>
> I assumed that the 150.15.0.0/16 address would be on the Ethernet (LAN)
> interface and therefore would be in the routing table. RPF would then stop
> any packet sourcing from the 150.15.0.0/16 address from entering the Serial
> interface, would it not?
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Security Candidate
> Sent: Monday, May 09, 2005 8:40 PM
> To: mani poopal; Tony Schaffran; ccielab@groupstudy.com
> Subject: RE: smurf attack
>
> small correction here , the RPF does not stop packets of source not in the
> routing table
>
> what it does is it verifies that the source is in the routing table from the
> same interface it should come from , so lets say you have default route to
> serial 0 , it means any packet with unknown source should be received from
> serial 0 ..not any other interface
>
> hope this help
>
> yahoo.com> wrote:
> Hi Tony,
>
> I think the "ip verify unicast reverse-path" command stops packets from
> sources of ip address not in the routing table. ie: without verifiable
> source address. But this major network is in the routing table of the
> router, so how this command stops the smurf attack
>
> thanks
>
> Mani
>
> Tony Schaffran wrote:
> Here is the best way to stop a smurf attack.
>
> ip verify unicast reverse-path
>
> The access list was used to filter spoofed IP packets before this command
> was introduced.
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tony
> Schaffran
> Sent: Monday, May 09, 2005 6:52 PM
> To: 'Tony Schaffran'; 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: smurf attack
>
> Disregard my last.
>
> I was thinking of another attack.
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tony
> Schaffran
> Sent: Monday, May 09, 2005 6:48 PM
> To: 'mani poopal'; ccielab@groupstudy.com
> Subject: RE: smurf attack
>
> You need to understand what a SMURF attack is before you can know how to
> stop it.
>
> Google it.
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of mani
> poopal
> Sent: Monday, May 09, 2005 6:27 PM
> To: ccielab@groupstudy.com
> Subject: smurf attack
>
> Hi Group,
>
> If your network(150.15.0.0/16) is subjected to smurf attack how do you
> prevent it. Is it attck by inturder stealing your own ip address. Is the
> following config is enough to stop the smurf attack.
>
> access-list 101 deny ip 150.15.0.0 0.0.255.255 any
> access-list 101 permit ip any any
>
> int s 0
> ip access-group 101 in
>
> thanks
>
> Mani
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
>
> ---------------------------------
> Yahoo! Mail
> Stay connected, organized, and protected. Take the tour
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> (416)431 9929
> MANI_CCIE@YAHOO.COM
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> **********************************************************************
> *********** Department of Agriculture and Food ***************
>
> The information contained in this email and in any
> attachments is confidential and is designated solely
> for the attention and use of the intended recipient(s).
> This information may be subject to legal and professional
> privilege. If you are not an intended recipient of
> this email, you must not use, disclose, copy,
> distribute or retain this message or any part of it.
> If you have received this email in error, please
> notify the sender immediately and delete all copies of
> this email from your computer system(s).
> **********************************************************************
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Oliver Grenham: "Re: smurf attack"
• Previous message: Brian Dennis: "RE: ISIS over Frame Relay"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: Oliver Grenham: "Re: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3