Re: smurf attack

From: Steve Ohnmacht (ohnmacht@gmail.com)
Date: Sat May 14 2005 - 12:44:25 GMT-3

• Next message: l.tosolini@chello.nl: "Vacant & busy message"
• Previous message: Lanny Ballard: "dlsw rsvp - oops"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: ccie2be: "RE: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Just tacking this on to Jongsoo's, thread being that this is relevant IMO...

This particular doc was pointed out to me with regards to this very
topic: http://www.cisco.com/warp/public/707/22.html. Believe it or not
I have this acl memorized to track/characterize these types of
attacks. This is IMO a very good link which explains what Jongsoo is
talking about... Anyways ya'll have a good weekend...

On 5/13/05, Jongsoo kim <bstrt2002@gmail.com> wrote:
> All
> This is interesting topic and this is my understanding specifically about
> smurf attack.
> There are two types of victims in smurf attack.
> 1) smurf amplifier and 2) spoofed source target.
> For example, a ping packet ( spoofed source = 10.1.1.1 <http://10.1.1.1>,
> and destination = 20.1.1.255 <http://20.1.1.255>) goes out.
> In this case, 20.1.1.0/24 <http://20.1.1.0/24> is smurf amplifier and
> 10.1.1.1 <http://10.1.1.1> is spoofed source target.
> Usually, there are multiple amplifiers for the same target.
> If ping(echo) stream is 100kbps, then ping reply(echo-reply) stream to
> target will be amplified to 254 x 100Kbps = 25Mbps if there is enough BW.
> If there are 40 x class C( /24) amplifiers, then echo-reply stream can be as
> much as 40 x 25 Mbps = 1Gbps.
> Usually, what will happen is this traffic stream will saturate any link on
> the way to target. And if your network has only one T1 or E1 being a smurf
> amplifier with 10kbps ping stream, then T1 link will be totally saturated(
> 10 x 254 = 2.5Mbps).
> A simple script of auto-searching for smurf amplifiers can make this
> devastating attack to target.
> In my company where providing international IP connection over satellite to
> many countries, I've seen this type of attack among customers( countries),
> so called "cyber-war".
> Anyway, go back to CCIE lab,
> I think if CCIE lab question asks about specifically smurf attack, it is
> important to determine if your network needs prevention from being a smurf
> amplifier or from being a spoofed target.
> 1) If it is about smurf amplifier, then you will need to make sure the
> interface configured with "no ip directed-broadcasts" and I will also block
> icmp echo if there is no other restriction.
> 2) If it is about smurf target, then you will need to block ICMP echo-reply.
> If there is a condition saying icmp initiated from your network to outside
> needs to work, then perhaps you can use reflexive ACL, which will allow the
> ICMP initiated by reflected side.
> 3) If the question is not specifying, then both should be considered. So
> you need block incoming icmp echo and echo-reply and the interface need to
> be configured with "no ip directed-broadcasts" If there is a condition
> saying icmp initiated in your network needs to work from outside, then
> perhaps you can use reflexive ACL, which will allow the ICMP initiated by
> reflected side.
> Just my thought but any other comment welcomed
> Jongsoo
>
> On 5/12/05, Oliver Grenham <ogrenham@optusnet.com.au> wrote:
> >
> > I believe if you get this question on the exam then the destination of the
> > attack may have its ethernet interface configured with #ip
> > directed-broadcast. Remember that this is no not the default so that may
> > indicate that #no ip directed-broadcast may be the solution.
> >
> > Just my thoughts!
> >
> > Ollie.
> > ----- Original Message -----
> > From: "Keane, James" <James.Keane@agriculture.gov.ie>
> > To: "mani poopal" <mani_ccie@yahoo.com>; "Tony Schaffran"
> > <groupstudy@cconlinelabs.com>; "Security Candidate" <doubleccie@yahoo.com
> > >;
> > <ccielab@groupstudy.com>
> > Sent: Thursday, May 12, 2005 4:21 PM
> > Subject: RE: smurf attack
> >
> > > Did you get a positive resolution on this ?
> > >
> > > Which is better to use in the prevention of the smurf attack ?
> > >
> > > ip verify unicast reverse-path
> > >
> > > or
> > >
> > > no ip directed-broadcasts
> > >
> > > or both ?
> > >
> > > -----Original Message-----
> > > From: mani poopal [mailto:mani_ccie@yahoo.com]
> > > Sent: 10 May 2005 12:01
> > > To: Tony Schaffran; 'Security Candidate'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > Hi Tony,
> > >
> > > I got it, thanks
> > >
> > > Mani
> > >
> > > Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
> > > The other way to stop the smurf attack from passing through your router
> > if
> > > the address is not in the routing table is to use no ip
> > directed-broadcasts.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 8:59 PM
> > > To: 'Security Candidate'; 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > I guess we would need more information here.
> > >
> > > I assumed that the 150.15.0.0/16 <http://150.15.0.0/16> address would be
> > on the Ethernet (LAN)
> > > interface and therefore would be in the routing table. RPF would then
> > stop
> > > any packet sourcing from the 150.15.0.0/16 <http://150.15.0.0/16>address
> from entering the
> > Serial
> > > interface, would it not?
> > >
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > > Security Candidate
> > > Sent: Monday, May 09, 2005 8:40 PM
> > > To: mani poopal; Tony Schaffran; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > small correction here , the RPF does not stop packets of source not in
> > the
> > > routing table
> > >
> > > what it does is it verifies that the source is in the routing table from
> > the
> > > same interface it should come from , so lets say you have default route
> > to
> > > serial 0 , it means any packet with unknown source should be received
> > from
> > > serial 0 ..not any other interface
> > >
> > > hope this help
> > >
> > >
> > > yahoo.com <http://yahoo.com>> wrote:
> > > Hi Tony,
> > >
> > > I think the "ip verify unicast reverse-path" command stops packets from
> > > sources of ip address not in the routing table. ie: without verifiable
> > > source address. But this major network is in the routing table of the
> > > router, so how this command stops the smurf attack
> > >
> > > thanks
> > >
> > > Mani
> > >
> > > Tony Schaffran wrote:
> > > Here is the best way to stop a smurf attack.
> > >
> > > ip verify unicast reverse-path
> > >
> > > The access list was used to filter spoofed IP packets before this
> > command
> > > was introduced.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 6:52 PM
> > > To: 'Tony Schaffran'; 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > Disregard my last.
> > >
> > > I was thinking of another attack.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 6:48 PM
> > > To: 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > You need to understand what a SMURF attack is before you can know how to
> > > stop it.
> > >
> > > Google it.
> > >
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > mani
> > > poopal
> > > Sent: Monday, May 09, 2005 6:27 PM
> > > To: ccielab@groupstudy.com
> > > Subject: smurf attack
> > >
> > >
> > > Hi Group,
> > >
> > > If your network(150.15.0.0/16 <http://150.15.0.0/16>) is subjected to
> > smurf attack how do you
> > > prevent it. Is it attck by inturder stealing your own ip address. Is the
> > > following config is enough to stop the smurf attack.
> > >
> > > access-list 101 deny ip 150.15.0.0 <http://150.15.0.0>
> 0.0.255.255<http://0.0.255.255>any
> > > access-list 101 permit ip any any
> > >
> > > int s 0
> > > ip access-group 101 in
> > >
> > > thanks
> > >
> > > Mani
> > >
> > >
> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > > (416)431 9929
> > > MANI_CCIE@YAHOO.COM
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > > (416)431 9929
> > > MANI_CCIE@YAHOO.COM
> > >
> > > ---------------------------------
> > > Yahoo! Mail
> > > Stay connected, organized, and protected. Take the tour
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > > (416)431 9929
> > > MANI_CCIE@YAHOO.COM
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > **********************************************************************
> > > *********** Department of Agriculture and Food ***************
> > >
> > > The information contained in this email and in any
> > > attachments is confidential and is designated solely
> > > for the attention and use of the intended recipient(s).
> > > This information may be subject to legal and professional
> > > privilege. If you are not an intended recipient of
> > > this email, you must not use, disclose, copy,
> > > distribute or retain this message or any part of it.
> > > If you have received this email in error, please
> > > notify the sender immediately and delete all copies of
> > > this email from your computer system(s).
> > > **********************************************************************
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
-so

• Next message: l.tosolini@chello.nl: "Vacant & busy message"
• Previous message: Lanny Ballard: "dlsw rsvp - oops"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: ccie2be: "RE: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3