From: joshua lauer (jslauer@hotmail.com)
Date: Sat May 14 2005 - 17:21:43 GMT-3
everytime I see a post on smurf attacks I think of those little blue guys :)
jl
JOSHUA LAUER
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "'Steve Ohnmacht'" <ohnmacht@gmail.com>; "'Jongsoo kim'"
<bstrt2002@gmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, May 14, 2005 3:55 PM
Subject: RE: smurf attack
> This is from the Cisco Press book, Cisco Router Security Firewall, which
> in
> my opinion is the best book of its kind out there.
>
> **************************************************************************
> Smurf is a DoS attack that uses ICMP echos. The name Smurf is used because
> this was what the original hacker application was called. A hacker using
> Smurf uses two things that can create a massive DoS attack against your
> resources.
>
> Smurf in Action
>
> First, the hacker puts a directed broadcast into the destination field of
> the IP packet header. Directed broadcasts, unlike local broadcasts, are
> routable. Depending on the user's device, a directed broadcast can be
> either
> the first or the last address in a network or subnet. Typically, it is the
> last address. For example, with network 192.168.1.0/24, the directed
> broadcast address could be 192.168.1.0 or 192.168.1.255. Second, instead
> of
> using his own address as the source address of the packet, the hacker
> replaces it with the address of the device that he wants to attack. If the
> destination network or networks do not filter the directed broadcast, all
> the destinations on the segment of the directed broadcast respond with an
> echo reply to the source address in the packet (the victim).
> Figure
> <mk:@MSITStore:C:\Documents%20and%20Settings\Owner\Desktop\Cisco\Security\Bo
> oks\Cisco.Press,.Cisco.Router.Firewall.Security.(2004).DDU.chm::/1587051753/
> ch07lev1sec3.html#ch07fig06#ch07fig06> 7-6 illustrates the process of a
> Smurf attack. In this example, the hacker wants to attack the internal
> server (200.1.2.1). The attacker then finds a network that allows directed
> broadcasts into the network. This could be the same network (not likely)
> or
> another network connected to the Internet (most likely). The hacker then
> sends an ICMP echo with a destination-directed broadcast to the segment
> that
> will initiate the attack and puts a source address in the packet header of
> the actual victim (200.1.2.1). When the destinations on 200.1.1.0/24
> receive
> the echo-directed broadcast, each device responds to the source address
> with
> an echo reply. These devices commonly are called reflectors because they
> are
> being used to reflect the attack to the actual victim. In this example,
> only
> three user devices-200.1.1.1, 200.1.1.2, and 200.1.1.3-send an echo reply
> to
> 200.1.2.1.
>
> One of the most common DoS attacks is the Smurf attack, which I covered in
> Chapter 7, "Basic Access Lists." (Chapter 7 also covered how to use ACLs
> to
> deal with the Smurf attack.) In a Smurf attack, the attacker sends a flood
> of ICMP messages to a reflector or sets of reflectors, with the source IP
> address in the ICMP echo messages spoofed. The hacker changes these
> addresses to the address of the actual victim device or devices. The
> reflectors then innocently reply to the echo messages, inadvertently
> sending
> the replies to the victim. In many cases, the source address is a directed
> broadcast address, allowing the attack to target a network segment instead
> of a specific host. Based on this information, if you see a large number
> of
> ICMP echo replies coming into your network, you probably are experiencing
> a
> Smurf attack, or at least a derivative of this kind of attack. Likewise,
> if
> you are seeing a large number of packets coming into your network with a
> directed broadcast address, this would indicate that you are under attack.
> One method of preventing this is to use the no ip directed-broadcast
> command
> on your router's interfaces. I discussed this command in Chapter 4,
> "Disabling Unnecessary Services."
>
> ****************************************************************
>
> This book has a lot more info and some examples of what you can do about
> this and other types of attacks. I strongly recommend anyone preparing
> for
> the lab get this book and read the sections covered in the lab thoroughly.
>
> HTH, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Steve Ohnmacht
> Sent: Saturday, May 14, 2005 11:44 AM
> To: Jongsoo kim
> Cc: ccielab@groupstudy.com
> Subject: Re: smurf attack
>
> Just tacking this on to Jongsoo's, thread being that this is relevant
> IMO...
>
> This particular doc was pointed out to me with regards to this very
> topic: http://www.cisco.com/warp/public/707/22.html. Believe it or not
> I have this acl memorized to track/characterize these types of
> attacks. This is IMO a very good link which explains what Jongsoo is
> talking about... Anyways ya'll have a good weekend...
>
> On 5/13/05, Jongsoo kim <bstrt2002@gmail.com> wrote:
>> All
>> This is interesting topic and this is my understanding specifically
>> about
>> smurf attack.
>> There are two types of victims in smurf attack.
>> 1) smurf amplifier and 2) spoofed source target.
>> For example, a ping packet ( spoofed source = 10.1.1.1 <http://10.1.1.1>,
>> and destination = 20.1.1.255 <http://20.1.1.255>) goes out.
>> In this case, 20.1.1.0/24 <http://20.1.1.0/24> is smurf amplifier and
>> 10.1.1.1 <http://10.1.1.1> is spoofed source target.
>> Usually, there are multiple amplifiers for the same target.
>> If ping(echo) stream is 100kbps, then ping reply(echo-reply) stream to
>> target will be amplified to 254 x 100Kbps = 25Mbps if there is enough BW.
>> If there are 40 x class C( /24) amplifiers, then echo-reply stream can be
> as
>> much as 40 x 25 Mbps = 1Gbps.
>> Usually, what will happen is this traffic stream will saturate any link
>> on
>> the way to target. And if your network has only one T1 or E1 being a
>> smurf
>> amplifier with 10kbps ping stream, then T1 link will be totally
>> saturated(
>> 10 x 254 = 2.5Mbps).
>> A simple script of auto-searching for smurf amplifiers can make this
>> devastating attack to target.
>> In my company where providing international IP connection over satellite
> to
>> many countries, I've seen this type of attack among customers(
>> countries),
>> so called "cyber-war".
>> Anyway, go back to CCIE lab,
>> I think if CCIE lab question asks about specifically smurf attack, it is
>> important to determine if your network needs prevention from being a
>> smurf
>> amplifier or from being a spoofed target.
>> 1) If it is about smurf amplifier, then you will need to make sure the
>> interface configured with "no ip directed-broadcasts" and I will also
> block
>> icmp echo if there is no other restriction.
>> 2) If it is about smurf target, then you will need to block ICMP
> echo-reply.
>> If there is a condition saying icmp initiated from your network to
>> outside
>> needs to work, then perhaps you can use reflexive ACL, which will allow
> the
>> ICMP initiated by reflected side.
>> 3) If the question is not specifying, then both should be considered. So
>> you need block incoming icmp echo and echo-reply and the interface need
>> to
>> be configured with "no ip directed-broadcasts" If there is a condition
>> saying icmp initiated in your network needs to work from outside, then
>> perhaps you can use reflexive ACL, which will allow the ICMP initiated by
>> reflected side.
>> Just my thought but any other comment welcomed
>> Jongsoo
>>
>> On 5/12/05, Oliver Grenham <ogrenham@optusnet.com.au> wrote:
>> >
>> > I believe if you get this question on the exam then the destination of
> the
>> > attack may have its ethernet interface configured with #ip
>> > directed-broadcast. Remember that this is no not the default so that
>> > may
>> > indicate that #no ip directed-broadcast may be the solution.
>> >
>> > Just my thoughts!
>> >
>> > Ollie.
>> > ----- Original Message -----
>> > From: "Keane, James" <James.Keane@agriculture.gov.ie>
>> > To: "mani poopal" <mani_ccie@yahoo.com>; "Tony Schaffran"
>> > <groupstudy@cconlinelabs.com>; "Security Candidate"
> <doubleccie@yahoo.com
>> > >;
>> > <ccielab@groupstudy.com>
>> > Sent: Thursday, May 12, 2005 4:21 PM
>> > Subject: RE: smurf attack
>> >
>> > > Did you get a positive resolution on this ?
>> > >
>> > > Which is better to use in the prevention of the smurf attack ?
>> > >
>> > > ip verify unicast reverse-path
>> > >
>> > > or
>> > >
>> > > no ip directed-broadcasts
>> > >
>> > > or both ?
>> > >
>> > > -----Original Message-----
>> > > From: mani poopal [mailto:mani_ccie@yahoo.com]
>> > > Sent: 10 May 2005 12:01
>> > > To: Tony Schaffran; 'Security Candidate'; ccielab@groupstudy.com
>> > > Subject: RE: smurf attack
>> > >
>> > >
>> > > Hi Tony,
>> > >
>> > > I got it, thanks
>> > >
>> > > Mani
>> > >
>> > > Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
>> > > The other way to stop the smurf attack from passing through your
> router
>> > if
>> > > the address is not in the routing table is to use no ip
>> > directed-broadcasts.
>> > >
>> > > Tony Schaffran
>> > > Network Analyst
>> > > CCIE #11071
>> > > CCNP, CCNA, CCDA,
>> > > NNCDS, NNCSS, CNE, MCSE
>> > >
>> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
>> > > Your #1 choice for online Cisco rack rentals.
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>> > Tony
>> > > Schaffran
>> > > Sent: Monday, May 09, 2005 8:59 PM
>> > > To: 'Security Candidate'; 'mani poopal'; ccielab@groupstudy.com
>> > > Subject: RE: smurf attack
>> > >
>> > >
>> > > I guess we would need more information here.
>> > >
>> > > I assumed that the 150.15.0.0/16 <http://150.15.0.0/16> address would
> be
>> > on the Ethernet (LAN)
>> > > interface and therefore would be in the routing table. RPF would then
>> > stop
>> > > any packet sourcing from the 150.15.0.0/16
> <http://150.15.0.0/16>address
>> from entering the
>> > Serial
>> > > interface, would it not?
>> > >
>> > >
>> > > Tony Schaffran
>> > > Network Analyst
>> > > CCIE #11071
>> > > CCNP, CCNA, CCDA,
>> > > NNCDS, NNCSS, CNE, MCSE
>> > >
>> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
>> > > Your #1 choice for online Cisco rack rentals.
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>> > > Security Candidate
>> > > Sent: Monday, May 09, 2005 8:40 PM
>> > > To: mani poopal; Tony Schaffran; ccielab@groupstudy.com
>> > > Subject: RE: smurf attack
>> > >
>> > >
>> > > small correction here , the RPF does not stop packets of source not
>> > > in
>> > the
>> > > routing table
>> > >
>> > > what it does is it verifies that the source is in the routing table
> from
>> > the
>> > > same interface it should come from , so lets say you have default
> route
>> > to
>> > > serial 0 , it means any packet with unknown source should be received
>> > from
>> > > serial 0 ..not any other interface
>> > >
>> > > hope this help
>> > >
>> > >
>> > > yahoo.com <http://yahoo.com>> wrote:
>> > > Hi Tony,
>> > >
>> > > I think the "ip verify unicast reverse-path" command stops packets
> from
>> > > sources of ip address not in the routing table. ie: without
>> > > verifiable
>> > > source address. But this major network is in the routing table of the
>> > > router, so how this command stops the smurf attack
>> > >
>> > > thanks
>> > >
>> > > Mani
>> > >
>> > > Tony Schaffran wrote:
>> > > Here is the best way to stop a smurf attack.
>> > >
>> > > ip verify unicast reverse-path
>> > >
>> > > The access list was used to filter spoofed IP packets before this
>> > command
>> > > was introduced.
>> > >
>> > > Tony Schaffran
>> > > Network Analyst
>> > > CCIE #11071
>> > > CCNP, CCNA, CCDA,
>> > > NNCDS, NNCSS, CNE, MCSE
>> > >
>> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
>> > > Your #1 choice for online Cisco rack rentals.
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>> > Tony
>> > > Schaffran
>> > > Sent: Monday, May 09, 2005 6:52 PM
>> > > To: 'Tony Schaffran'; 'mani poopal'; ccielab@groupstudy.com
>> > > Subject: RE: smurf attack
>> > >
>> > >
>> > > Disregard my last.
>> > >
>> > > I was thinking of another attack.
>> > >
>> > > Tony Schaffran
>> > > Network Analyst
>> > > CCIE #11071
>> > > CCNP, CCNA, CCDA,
>> > > NNCDS, NNCSS, CNE, MCSE
>> > >
>> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
>> > > Your #1 choice for online Cisco rack rentals.
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>> > Tony
>> > > Schaffran
>> > > Sent: Monday, May 09, 2005 6:48 PM
>> > > To: 'mani poopal'; ccielab@groupstudy.com
>> > > Subject: RE: smurf attack
>> > >
>> > >
>> > > You need to understand what a SMURF attack is before you can know how
> to
>> > > stop it.
>> > >
>> > > Google it.
>> > >
>> > >
>> > > Tony Schaffran
>> > > Network Analyst
>> > > CCIE #11071
>> > > CCNP, CCNA, CCDA,
>> > > NNCDS, NNCSS, CNE, MCSE
>> > >
>> > > www.cconlinelabs.com <http://www.cconlinelabs.com>
>> > > Your #1 choice for online Cisco rack rentals.
>> > >
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
>> > mani
>> > > poopal
>> > > Sent: Monday, May 09, 2005 6:27 PM
>> > > To: ccielab@groupstudy.com
>> > > Subject: smurf attack
>> > >
>> > >
>> > > Hi Group,
>> > >
>> > > If your network(150.15.0.0/16 <http://150.15.0.0/16>) is subjected to
>> > smurf attack how do you
>> > > prevent it. Is it attck by inturder stealing your own ip address. Is
> the
>> > > following config is enough to stop the smurf attack.
>> > >
>> > > access-list 101 deny ip 150.15.0.0 <http://150.15.0.0>
>> 0.0.255.255<http://0.0.255.255>any
>> > > access-list 101 permit ip any any
>> > >
>> > > int s 0
>> > > ip access-group 101 in
>> > >
>> > > thanks
>> > >
>> > > Mani
>> > >
>> > >
>> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
>> > > (416)431 9929
>> > > MANI_CCIE@YAHOO.COM
>> > > __________________________________________________
>> > > Do You Yahoo!?
>> > > Tired of spam? Yahoo! Mail has the best spam protection around
>> > > http://mail.yahoo.com
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
>> > > (416)431 9929
>> > > MANI_CCIE@YAHOO.COM
>> > >
>> > > ---------------------------------
>> > > Yahoo! Mail
>> > > Stay connected, organized, and protected. Take the tour
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > > __________________________________________________
>> > > Do You Yahoo!?
>> > > Tired of spam? Yahoo! Mail has the best spam protection around
>> > > http://mail.yahoo.com
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > B.ENG,A+,CCNA,CCNP,CCNP-VOICE, CSS1,CNA,MCSE
>> > > (416)431 9929
>> > > MANI_CCIE@YAHOO.COM
>> > > __________________________________________________
>> > > Do You Yahoo!?
>> > > Tired of spam? Yahoo! Mail has the best spam protection around
>> > > http://mail.yahoo.com
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > **********************************************************************
>> > > *********** Department of Agriculture and Food ***************
>> > >
>> > > The information contained in this email and in any
>> > > attachments is confidential and is designated solely
>> > > for the attention and use of the intended recipient(s).
>> > > This information may be subject to legal and professional
>> > > privilege. If you are not an intended recipient of
>> > > this email, you must not use, disclose, copy,
>> > > distribute or retain this message or any part of it.
>> > > If you have received this email in error, please
>> > > notify the sender immediately and delete all copies of
>> > > this email from your computer system(s).
>> > > **********************************************************************
>> > >
>> > >
> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> --
> -so
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3