Re: smurf attacks

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Sun Jan 15 2006 - 23:58:25 GMT-3

• Next message: Chris Lewis: "Re: Frame-relay fragmentation"
• Previous message: Church, Chuck: "RE: OT: The pic on www.cisco.com right now"
• Maybe in reply to: midatlanticnet@gmail.com: "smurf attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If yo uare the victim of a smurf attack, you will be receiving a large
number of icmp echo-replies from valid source addresses.
If you are the victim of a fraggle attack you will be receiving a large
number of UDP echo replies from valid source addresses.

unicast RPF does not help here, the best solution is to rate limit incoming
echo replies.

Chris

On 1/15/06, midatlanticnet@gmail.com <midatlanticnet@gmail.com> wrote:
>
> i saw somewhere on this message board a solution to Smurf attacks. That
> solution used 8 lines in an extended ACL's permiting ICMP and UDP echo and
> echo-reply, then rate limited the ACL using CAR. Here is my mine question:
>
> If I want to limit a smurf attack to a max of 128K, and normal 8kbps using
> CAR...why not use the "verify unicast" command on the interface and have
> that point to a permit any any ACL...then rate limit that ACL to the above
> parameters.
>
> -Chris
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Chris Lewis: "Re: Frame-relay fragmentation"
• Previous message: Church, Chuck: "RE: OT: The pic on www.cisco.com right now"
• Maybe in reply to: midatlanticnet@gmail.com: "smurf attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3