Re: smurf attack

From: Arun Arumuganainar (aarumuga@hotmail.com)
Date: Tue Sep 20 2005 - 13:32:19 GMT-3

• Next message: Leigh Harrison: "Re: RSPAN"
• Previous message: Evgeniy Voloshin: "RSPAN"
• Maybe in reply to: Rajib Khan: "smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Smurf attack can be cause by directed broad cast .

Basically it is DOS attacks and works like this . Hacker spoofs the server
which has to be brought down . Once the address is known he sends out a ping
to ip-directed-broadcast-address to random subnet with source address set
server address .In response to the ping every host in the subnet will
respond to the servers . If the amount of ping responses are big enough it
could overwhelm the server .

Well this is sumrf attack .From CCIE LAB prespective there could two thing
that we would be interested in it .

A) How to prevent SMURF attack totally ?

Solution : "no ip directed-broadcast " on the routers interface will block
directed broadcast to be forwarded to its subnet and thus stopping the
attack .

B) Some person is attacking server and we wanted to find out the affected
addresses so that we can inform service provider or victim about the eminent
DOS attack ?

ip access-list extended smurf-attack
  permit icmp any any eq echo-response log
  permit ip any any
!
!
interface ethernet 0/0
 ip access-group smurf-attack in

FYI : I have assumed hacker is using the subnet attached to e0/0 for
creating smurf attack .

Pls. Note : Log option will be used to identify the victim who is being
targeted . Its a passive accesslist that would do only the logging . It is
not intended to prevent the attack altogether .

Another design note : While enabling log option make sure you rate limit
ping responses on your router . Failing to do so ...your router could also
die along with the victim . Router performance could be affected due to
access-list processing . The worst-case-scenario ...router could hang and
packet forwording might stop !!! So it is very imperative to rate limit the
ping responses .

Thanks and Regards
Arun

----- Original Message -----
From: "Rajib Khan" <rajib56666@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 8:46 PM
Subject: smurf attack

> Hi group,
>
> I looking for ACL to match smurf traffic
>
> Thanks in advance
>
> Raj
>
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Leigh Harrison: "Re: RSPAN"
• Previous message: Evgeniy Voloshin: "RSPAN"
• Maybe in reply to: Rajib Khan: "smurf attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3