RE: smurf attack

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sat May 14 2005 - 16:55:25 GMT-3

• Next message: joshua lauer: "Re: smurf attack"
• Previous message: Valdas Slimas: "Re: Traffic generators"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: joshua lauer: "Re: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is from the Cisco Press book, Cisco Router Security Firewall, which in
my opinion is the best book of its kind out there.
 
**************************************************************************
Smurf is a DoS attack that uses ICMP echos. The name Smurf is used because
this was what the original hacker application was called. A hacker using
Smurf uses two things that can create a massive DoS attack against your
resources.

Smurf in Action

First, the hacker puts a directed broadcast into the destination field of
the IP packet header. Directed broadcasts, unlike local broadcasts, are
routable. Depending on the user's device, a directed broadcast can be either
the first or the last address in a network or subnet. Typically, it is the
last address. For example, with network 192.168.1.0/24, the directed
broadcast address could be 192.168.1.0 or 192.168.1.255. Second, instead of
using his own address as the source address of the packet, the hacker
replaces it with the address of the device that he wants to attack. If the
destination network or networks do not filter the directed broadcast, all
the destinations on the segment of the directed broadcast respond with an
echo reply to the source address in the packet (the victim).
Figure
<mk:@MSITStore:C:\Documents%20and%20Settings\Owner\Desktop\Cisco\Security\Bo
oks\Cisco.Press,.Cisco.Router.Firewall.Security.(2004).DDU.chm::/1587051753/
ch07lev1sec3.html#ch07fig06#ch07fig06> 7-6 illustrates the process of a
Smurf attack. In this example, the hacker wants to attack the internal
server (200.1.2.1). The attacker then finds a network that allows directed
broadcasts into the network. This could be the same network (not likely) or
another network connected to the Internet (most likely). The hacker then
sends an ICMP echo with a destination-directed broadcast to the segment that
will initiate the attack and puts a source address in the packet header of
the actual victim (200.1.2.1). When the destinations on 200.1.1.0/24 receive
the echo-directed broadcast, each device responds to the source address with
an echo reply. These devices commonly are called reflectors because they are
being used to reflect the attack to the actual victim. In this example, only
three user devices-200.1.1.1, 200.1.1.2, and 200.1.1.3-send an echo reply to
200.1.2.1.
 
One of the most common DoS attacks is the Smurf attack, which I covered in
Chapter 7, "Basic Access Lists." (Chapter 7 also covered how to use ACLs to
deal with the Smurf attack.) In a Smurf attack, the attacker sends a flood
of ICMP messages to a reflector or sets of reflectors, with the source IP
address in the ICMP echo messages spoofed. The hacker changes these
addresses to the address of the actual victim device or devices. The
reflectors then innocently reply to the echo messages, inadvertently sending
the replies to the victim. In many cases, the source address is a directed
broadcast address, allowing the attack to target a network segment instead
of a specific host. Based on this information, if you see a large number of
ICMP echo replies coming into your network, you probably are experiencing a
Smurf attack, or at least a derivative of this kind of attack. Likewise, if
you are seeing a large number of packets coming into your network with a
directed broadcast address, this would indicate that you are under attack.
One method of preventing this is to use the no ip directed-broadcast command
on your router's interfaces. I discussed this command in Chapter 4,
"Disabling Unnecessary Services."
 
****************************************************************
 
This book has a lot more info and some examples of what you can do about
this and other types of attacks. I strongly recommend anyone preparing for
the lab get this book and read the sections covered in the lab thoroughly.
 
HTH, Tim
 
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Steve Ohnmacht
Sent: Saturday, May 14, 2005 11:44 AM
To: Jongsoo kim
Cc: ccielab@groupstudy.com
Subject: Re: smurf attack
 
Just tacking this on to Jongsoo's, thread being that this is relevant IMO...
 
This particular doc was pointed out to me with regards to this very
topic: http://www.cisco.com/warp/public/707/22.html. Believe it or not
I have this acl memorized to track/characterize these types of
attacks. This is IMO a very good link which explains what Jongsoo is
talking about... Anyways ya'll have a good weekend...
 
On 5/13/05, Jongsoo kim <bstrt2002@gmail.com> wrote:
> All
> This is interesting topic and this is my understanding specifically about
> smurf attack.
> There are two types of victims in smurf attack.
> 1) smurf amplifier and 2) spoofed source target.
> For example, a ping packet ( spoofed source = 10.1.1.1 <http://10.1.1.1>,
> and destination = 20.1.1.255 <http://20.1.1.255>) goes out.
> In this case, 20.1.1.0/24 <http://20.1.1.0/24> is smurf amplifier and
> 10.1.1.1 <http://10.1.1.1> is spoofed source target.
> Usually, there are multiple amplifiers for the same target.
> If ping(echo) stream is 100kbps, then ping reply(echo-reply) stream to
> target will be amplified to 254 x 100Kbps = 25Mbps if there is enough BW.
> If there are 40 x class C( /24) amplifiers, then echo-reply stream can be
as
> much as 40 x 25 Mbps = 1Gbps.
> Usually, what will happen is this traffic stream will saturate any link on
> the way to target. And if your network has only one T1 or E1 being a smurf
> amplifier with 10kbps ping stream, then T1 link will be totally saturated(
> 10 x 254 = 2.5Mbps).
> A simple script of auto-searching for smurf amplifiers can make this
> devastating attack to target.
> In my company where providing international IP connection over satellite
to
> many countries, I've seen this type of attack among customers( countries),
> so called "cyber-war".
> Anyway, go back to CCIE lab,
> I think if CCIE lab question asks about specifically smurf attack, it is
> important to determine if your network needs prevention from being a smurf
> amplifier or from being a spoofed target.
> 1) If it is about smurf amplifier, then you will need to make sure the
> interface configured with "no ip directed-broadcasts" and I will also
block
> icmp echo if there is no other restriction.
> 2) If it is about smurf target, then you will need to block ICMP
echo-reply.
> If there is a condition saying icmp initiated from your network to outside
> needs to work, then perhaps you can use reflexive ACL, which will allow
the
> ICMP initiated by reflected side.
> 3) If the question is not specifying, then both should be considered. So
> you need block incoming icmp echo and echo-reply and the interface need to
> be configured with "no ip directed-broadcasts" If there is a condition
> saying icmp initiated in your network needs to work from outside, then
> perhaps you can use reflexive ACL, which will allow the ICMP initiated by
> reflected side.
> Just my thought but any other comment welcomed
> Jongsoo
>
> On 5/12/05, Oliver Grenham <ogrenham@optusnet.com.au> wrote:
> >
> > I believe if you get this question on the exam then the destination of
the
> > attack may have its ethernet interface configured with #ip
> > directed-broadcast. Remember that this is no not the default so that may
> > indicate that #no ip directed-broadcast may be the solution.
> >
> > Just my thoughts!
> >
> > Ollie.
> > ----- Original Message -----
> > From: "Keane, James" <James.Keane@agriculture.gov.ie>
> > To: "mani poopal" <mani_ccie@yahoo.com>; "Tony Schaffran"
> > <groupstudy@cconlinelabs.com>; "Security Candidate"
<doubleccie@yahoo.com
> > >;
> > <ccielab@groupstudy.com>
> > Sent: Thursday, May 12, 2005 4:21 PM
> > Subject: RE: smurf attack
> >
> > > Did you get a positive resolution on this ?
> > >
> > > Which is better to use in the prevention of the smurf attack ?
> > >
> > > ip verify unicast reverse-path
> > >
> > > or
> > >
> > > no ip directed-broadcasts
> > >
> > > or both ?
> > >
> > > -----Original Message-----
> > > From: mani poopal [mailto:mani_ccie@yahoo.com]
> > > Sent: 10 May 2005 12:01
> > > To: Tony Schaffran; 'Security Candidate'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > Hi Tony,
> > >
> > > I got it, thanks
> > >
> > > Mani
> > >
> > > Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
> > > The other way to stop the smurf attack from passing through your
router
> > if
> > > the address is not in the routing table is to use no ip
> > directed-broadcasts.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 8:59 PM
> > > To: 'Security Candidate'; 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > I guess we would need more information here.
> > >
> > > I assumed that the 150.15.0.0/16 <http://150.15.0.0/16> address would
be
> > on the Ethernet (LAN)
> > > interface and therefore would be in the routing table. RPF would then
> > stop
> > > any packet sourcing from the 150.15.0.0/16
<http://150.15.0.0/16>address
> from entering the
> > Serial
> > > interface, would it not?
> > >
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > Security Candidate
> > > Sent: Monday, May 09, 2005 8:40 PM
> > > To: mani poopal; Tony Schaffran; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > small correction here , the RPF does not stop packets of source not in
> > the
> > > routing table
> > >
> > > what it does is it verifies that the source is in the routing table
from
> > the
> > > same interface it should come from , so lets say you have default
route
> > to
> > > serial 0 , it means any packet with unknown source should be received
> > from
> > > serial 0 ..not any other interface
> > >
> > > hope this help
> > >
> > >
> > > yahoo.com <http://yahoo.com>> wrote:
> > > Hi Tony,
> > >
> > > I think the "ip verify unicast reverse-path" command stops packets
from
> > > sources of ip address not in the routing table. ie: without verifiable
> > > source address. But this major network is in the routing table of the
> > > router, so how this command stops the smurf attack
> > >
> > > thanks
> > >
> > > Mani
> > >
> > > Tony Schaffran wrote:
> > > Here is the best way to stop a smurf attack.
> > >
> > > ip verify unicast reverse-path
> > >
> > > The access list was used to filter spoofed IP packets before this
> > command
> > > was introduced.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 6:52 PM
> > > To: 'Tony Schaffran'; 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > Disregard my last.
> > >
> > > I was thinking of another attack.
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Tony
> > > Schaffran
> > > Sent: Monday, May 09, 2005 6:48 PM
> > > To: 'mani poopal'; ccielab@groupstudy.com
> > > Subject: RE: smurf attack
> > >
> > >
> > > You need to understand what a SMURF attack is before you can know how
to
> > > stop it.
> > >
> > > Google it.
> > >
> > >
> > > Tony Schaffran
> > > Network Analyst
> > > CCIE #11071
> > > CCNP, CCNA, CCDA,
> > > NNCDS, NNCSS, CNE, MCSE
> > >
> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
> > > Your #1 choice for online Cisco rack rentals.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > mani
> > > poopal
> > > Sent: Monday, May 09, 2005 6:27 PM
> > > To: ccielab@groupstudy.com
> > > Subject: smurf attack
> > >
> > >
> > > Hi Group,
> > >
> > > If your network(150.15.0.0/16 <http://150.15.0.0/16>) is subjected to
> > smurf attack how do you
> > > prevent it. Is it attck by inturder stealing your own ip address. Is
the
> > > following config is enough to stop the smurf attack.
> > >
> > > access-list 101 deny ip 150.15.0.0 <http://150.15.0.0>
> 0.0.255.255<http://0.0.255.255>any
> > > access-list 101 permit ip any any
> > >
> > > int s 0
> > > ip access-group 101 in
> > >
> > > thanks
> > >
> > > Mani
> > >
> > >
> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
> > > (416)431 9929
> > > MANI_CCIE@YAHOO.COM
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > >

• Next message: joshua lauer: "Re: smurf attack"
• Previous message: Valdas Slimas: "Re: Traffic generators"
• Maybe in reply to: mani poopal: "smurf attack"
• Next in thread: joshua lauer: "Re: smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3