Re: smurf attack

From: Jongsoo kim (bstrt2002@gmail.com)
Date: Fri May 13 2005 - 23:14:30 GMT-3

All
  This is interesting topic and this is my understanding specifically about
smurf attack.
 There are two types of victims in smurf attack.
1) smurf amplifier and 2) spoofed source target.
For example, a ping packet ( spoofed source = 10.1.1.1 <http://10.1.1.1>,
and destination = 20.1.1.255 <http://20.1.1.255>) goes out.
In this case, 20.1.1.0/24 <http://20.1.1.0/24> is smurf amplifier and
10.1.1.1 <http://10.1.1.1> is spoofed source target.
Usually, there are multiple amplifiers for the same target.
 If ping(echo) stream is 100kbps, then ping reply(echo-reply) stream to
target will be amplified to 254 x 100Kbps = 25Mbps if there is enough BW.
If there are 40 x class C( /24) amplifiers, then echo-reply stream can be as
much as 40 x 25 Mbps = 1Gbps.
Usually, what will happen is this traffic stream will saturate any link on
the way to target. And if your network has only one T1 or E1 being a smurf
amplifier with 10kbps ping stream, then T1 link will be totally saturated(
10 x 254 = 2.5Mbps).
 A simple script of auto-searching for smurf amplifiers can make this
devastating attack to target.
In my company where providing international IP connection over satellite to
many countries, I've seen this type of attack among customers( countries),
so called "cyber-war".
 Anyway, go back to CCIE lab,
I think if CCIE lab question asks about specifically smurf attack, it is
important to determine if your network needs prevention from being a smurf
amplifier or from being a spoofed target.
1) If it is about smurf amplifier, then you will need to make sure the
interface configured with "no ip directed-broadcasts" and I will also block
icmp echo if there is no other restriction.
2) If it is about smurf target, then you will need to block ICMP echo-reply.
If there is a condition saying icmp initiated from your network to outside
needs to work, then perhaps you can use reflexive ACL, which will allow the
ICMP initiated by reflected side.
 3) If the question is not specifying, then both should be considered. So
you need block incoming icmp echo and echo-reply and the interface need to
be configured with "no ip directed-broadcasts" If there is a condition
saying icmp initiated in your network needs to work from outside, then
perhaps you can use reflexive ACL, which will allow the ICMP initiated by
reflected side.
 Just my thought but any other comment welcomed
   Jongsoo

 On 5/12/05, Oliver Grenham <ogrenham@optusnet.com.au> wrote:
>
> I believe if you get this question on the exam then the destination of the
> attack may have its ethernet interface configured with #ip
> directed-broadcast. Remember that this is no not the default so that may
> indicate that #no ip directed-broadcast may be the solution.
>
> Just my thoughts!
>
> Ollie.
> ----- Original Message -----
> From: "Keane, James" <James.Keane@agriculture.gov.ie>
> To: "mani poopal" <mani_ccie@yahoo.com>; "Tony Schaffran"
> <groupstudy@cconlinelabs.com>; "Security Candidate" <doubleccie@yahoo.com
> >;
> <ccielab@groupstudy.com>
> Sent: Thursday, May 12, 2005 4:21 PM
> Subject: RE: smurf attack
>
> > Did you get a positive resolution on this ?
> >
> > Which is better to use in the prevention of the smurf attack ?
> >
> > ip verify unicast reverse-path
> >
> > or
> >
> > no ip directed-broadcasts
> >
> > or both ?
> >
> > -----Original Message-----
> > From: mani poopal [mailto:mani_ccie@yahoo.com]
> > Sent: 10 May 2005 12:01
> > To: Tony Schaffran; 'Security Candidate'; ccielab@groupstudy.com
> > Subject: RE: smurf attack
> >
> >
> > Hi Tony,
> >
> > I got it, thanks
> >
> > Mani
> >
> > Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
> > The other way to stop the smurf attack from passing through your router
> if
> > the address is not in the routing table is to use no ip
> directed-broadcasts.
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony
> > Schaffran
> > Sent: Monday, May 09, 2005 8:59 PM
> > To: 'Security Candidate'; 'mani poopal'; ccielab@groupstudy.com
> > Subject: RE: smurf attack
> >
> >
> > I guess we would need more information here.
> >
> > I assumed that the 150.15.0.0/16 <http://150.15.0.0/16> address would be
> on the Ethernet (LAN)
> > interface and therefore would be in the routing table. RPF would then
> stop
> > any packet sourcing from the 150.15.0.0/16 <http://150.15.0.0/16>address
from entering the
> Serial
> > interface, would it not?
> >
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Security Candidate
> > Sent: Monday, May 09, 2005 8:40 PM
> > To: mani poopal; Tony Schaffran; ccielab@groupstudy.com
> > Subject: RE: smurf attack
> >
> >
> > small correction here , the RPF does not stop packets of source not in
> the
> > routing table
> >
> > what it does is it verifies that the source is in the routing table from
> the
> > same interface it should come from , so lets say you have default route
> to
> > serial 0 , it means any packet with unknown source should be received
> from
> > serial 0 ..not any other interface
> >
> > hope this help
> >
> >
> > yahoo.com <http://yahoo.com>> wrote:
> > Hi Tony,
> >
> > I think the "ip verify unicast reverse-path" command stops packets from
> > sources of ip address not in the routing table. ie: without verifiable
> > source address. But this major network is in the routing table of the
> > router, so how this command stops the smurf attack
> >
> > thanks
> >
> > Mani
> >
> > Tony Schaffran wrote:
> > Here is the best way to stop a smurf attack.
> >
> > ip verify unicast reverse-path
> >
> > The access list was used to filter spoofed IP packets before this
> command
> > was introduced.
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony
> > Schaffran
> > Sent: Monday, May 09, 2005 6:52 PM
> > To: 'Tony Schaffran'; 'mani poopal'; ccielab@groupstudy.com
> > Subject: RE: smurf attack
> >
> >
> > Disregard my last.
> >
> > I was thinking of another attack.
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony
> > Schaffran
> > Sent: Monday, May 09, 2005 6:48 PM
> > To: 'mani poopal'; ccielab@groupstudy.com
> > Subject: RE: smurf attack
> >
> >
> > You need to understand what a SMURF attack is before you can know how to
> > stop it.
> >
> > Google it.
> >
> >
> > Tony Schaffran
> > Network Analyst
> > CCIE #11071
> > CCNP, CCNA, CCDA,
> > NNCDS, NNCSS, CNE, MCSE
> >
> > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > Your #1 choice for online Cisco rack rentals.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> mani
> > poopal
> > Sent: Monday, May 09, 2005 6:27 PM
> > To: ccielab@groupstudy.com
> > Subject: smurf attack
> >
> >
> > Hi Group,
> >
> > If your network(150.15.0.0/16 <http://150.15.0.0/16>) is subjected to
> smurf attack how do you
> > prevent it. Is it attck by inturder stealing your own ip address. Is the
> > following config is enough to stop the smurf attack.
> >
> > access-list 101 deny ip 150.15.0.0 <http://150.15.0.0>
0.0.255.255<http://0.0.255.255>any
> > access-list 101 permit ip any any
> >
> > int s 0
> > ip access-group 101 in
> >
> > thanks
> >
> > Mani
> >
> >
> > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > (416)431 9929
> > MANI_CCIE@YAHOO.COM
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > (416)431 9929
> > MANI_CCIE@YAHOO.COM
> >
> > ---------------------------------
> > Yahoo! Mail
> > Stay connected, organized, and protected. Take the tour
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > (416)431 9929
> > MANI_CCIE@YAHOO.COM
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > **********************************************************************
> > *********** Department of Agriculture and Food ***************
> >
> > The information contained in this email and in any
> > attachments is confidential and is designated solely
> > for the attention and use of the intended recipient(s).
> > This information may be subject to legal and professional
> > privilege. If you are not an intended recipient of
> > this email, you must not use, disclose, copy,
> > distribute or retain this message or any part of it.
> > If you have received this email in error, please
> > notify the sender immediately and delete all copies of
> > this email from your computer system(s).
> > **********************************************************************
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3