From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Thu Oct 06 2005 - 13:24:47 GMT-3
Stefan,
I would not make an assumption about what the task is referring too. I
would ask the proctor for clarification if this is a smurf or fraggle
attack, reflector or target, do you have enough information to nail it
down to the subnet broadcast or is it general bcast, etc.
If its smurf/fraggle:
Smurf uses ICMP ECHO and ECHO-REPLY to the broadcast address on an
interface, Fraggle uses UDP ECHO.
SMURF:
Reflector: icmp any host <subnet bcast> echo
Target: icmp any host <subnet bcast> echo-reply
FRAGGLE:
Udp any any echo
HTH,
Andy
Myself I find a lot of ambiguity in the QoS and Security sections of the
lab. Last time I camped out at the proctor desk to get my questions
answered .... And quess what? I nailed those sections. Just didn't
nail the others.... 8)
-----Original Message-----
From: Stefan Grey [mailto:examplebrain@hotmail.com]
Sent: Thursday, October 06, 2005 8:58 AM
To: ccielab@groupstudy.com
Subject: ICMP and UDP flooding
Hi group,
I have the task to logg ICMP and UDP flooding attacks (come to interface
s0/0). What would be the correct solution for this??
1.
config#ip access-list extended ICMPTRACK
config-ext-acl#permit icmp any any echo log input config-ext-acl#permit
icmp any any echo-reply log input
2. config-ext-acl#permit icmp any 0.0.0.255 255.255.255.0 echo log input
config-ext-acl#permit icmp any 0.0.0.255 255.255.255.0 echo-reply log
input
Which of the above solutions would be the correct one for ICMP flooding
attack?? Or neighter one?? Which would be correct one.
And great question about UDP. How to track the UDP flooding than?? UDP
doesn't have pings.
at the end of this access-list might be:
interface s0
ip access-group ICMPTRACK out
Thanks.
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:49 GMT-3