From: Jens Petter Eikeland (jenseike@start.no)
Date: Tue Sep 20 2005 - 14:58:40 GMT-3
No ip directede prodcast will prevent a router being a reflector for the
attack..
To stop the attack you want to prevent icmp echo and icmp echo-reply in
An acl to networks... You can do this others way also, by using the MQC or
rate-limmit the icmp packets. This depends on if you want to stop icmp all
Together in your network. Many administrators do not want to stop icmp all
together, so they limit the icmp packets that are allowed back and to the
network..
So to sum up, this are your options..
Acl denying icmp
Rate-limit interface command
QoS (MQC)
Jens P
-----Opprinnelig melding-----
Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe vegne av Arun
Arumuganainar
Sendt: 20. september 2005 18:32
Til: Rajib Khan; ccielab@groupstudy.com
Emne: Re: smurf attack
Smurf attack can be cause by directed broad cast .
Basically it is DOS attacks and works like this . Hacker spoofs the server
which has to be brought down . Once the address is known he sends out a ping
to ip-directed-broadcast-address to random subnet with source address set
server address .In response to the ping every host in the subnet will
respond to the servers . If the amount of ping responses are big enough it
could overwhelm the server .
Well this is sumrf attack .From CCIE LAB prespective there could two thing
that we would be interested in it .
A) How to prevent SMURF attack totally ?
Solution : "no ip directed-broadcast " on the routers interface will block
directed broadcast to be forwarded to its subnet and thus stopping the
attack .
B) Some person is attacking server and we wanted to find out the affected
addresses so that we can inform service provider or victim about the eminent
DOS attack ?
ip access-list extended smurf-attack
permit icmp any any eq echo-response log
permit ip any any
!
!
interface ethernet 0/0
ip access-group smurf-attack in
FYI : I have assumed hacker is using the subnet attached to e0/0 for
creating smurf attack .
Pls. Note : Log option will be used to identify the victim who is being
targeted . Its a passive accesslist that would do only the logging . It is
not intended to prevent the attack altogether .
Another design note : While enabling log option make sure you rate limit
ping responses on your router . Failing to do so ...your router could also
die along with the victim . Router performance could be affected due to
access-list processing . The worst-case-scenario ...router could hang and
packet forwording might stop !!! So it is very imperative to rate limit the
ping responses .
Thanks and Regards
Arun
----- Original Message -----
From: "Rajib Khan" <rajib56666@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 8:46 PM
Subject: smurf attack
> Hi group,
>
> I looking for ACL to match smurf traffic
>
> Thanks in advance
>
> Raj
>
>
> ---------------------------------
> Yahoo! for Good
> Click here to donate to the Hurricane Katrina relief effort.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3