Re: HELP:SMURF ATTACK

From: Venkataramanaiah.R (vramanaiah@gmail.com)
Date: Fri Dec 02 2005 - 19:39:27 GMT-3

• Next message: steven richards: "RE: Using the IP Multicast Helper Map command"
• Previous message: Brian Dennis: "RE: Set precedence.. error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It makes sense to match the broadcast address and network address of
the reflector site while tracing smurf attacks at the reflector site..
(as shown below)
However if we are asked to filter the smurf attack at the victim site,
do you guys think matching just the destination network/broadcast
address is sufficient. I would say we must all echo-replies to all
addresses in the Victim network.. Do you agree.

access-list 169 permit icmp any 0.0.0.255 255.255.255.0 echo log-input
access-list 169 permit icmp any 0.0.0.0 255.255.255.0 echo log-input
access-list 169 permit ip any any

Regards
-Venkat

On 11/8/05, Chris Lewis <chrlewiscsco@yahoo.com> wrote:
> Strictly speaking smurf is the ICMP form of the attack and fraggle is the UDP version. If you are the person being attacked, smurf will be sending you tons of ICMP echo replies, so that is what you need to either deny or rate limit on the inbound interface of your network. In practice this does you little good as the link will be swamped before you get a chance to deny it. In real life you need the ISP to rate limit this traffic to your site to keep room free on your access link for legitimate traffic.
>
> Chris
>
> cscoitit cscoitit <cscoitit@yahoo.ca> wrote:
> Hi Friends,
>
> I have a doubt in smurf attack. How do I log the smurf attack on the interface. In the web smarf attack is defined as icmp echo requests to specific directed broadcast address specifying false source address(victim). ****Do we have to define udp in the access list or is icmp is enough***
> I will be writing my exam next week.
>
> my configs as follows:
> acl 101 permit icmp any any eq echo log
> acl 101 permit icmp any any eq echo-reply log
> acl 101 permit ip any any
>
> ip access-group 101 in
>
>
>
>
>
> ---------------------------------
> Find your next car at Yahoo! Canada Autos
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ---------------------------------
> Yahoo! FareChase - Search multiple travel sites in one click.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: steven richards: "RE: Using the IP Multicast Helper Map command"
• Previous message: Brian Dennis: "RE: Set precedence.. error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:50 GMT-3