Re: smurf attacks and other DOS attacks

From: istong@stong.org
Date: Mon Jan 16 2006 - 11:36:49 GMT-3

• Next message: Mike O: "Re: OT-switch MAC addresses"
• Previous message: Howard C. Berkowitz: "Re: request"
• Next in thread: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Maybe reply: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Maybe reply: istong@stong.org: "Re: smurf attacks and other DOS attacks"
• Maybe reply: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One simple way to address those types of DOS attacks is to
use "no ip directed broadcast" on your interfaces. You
should
also consider some of the other best practices at the
interface level such as "no ip redirects, no ip unreachable,
no ip proxy-arp..."

As mentioned it's certainly a good idea to rate limit your
ICMP traffic. Unicast RPF is another to consider assuming
you don't have asymetric routing. If you have multiple
connections as well as
asymetric routing then you have to look at loose mode versus
strict mode. Often I've seen people just create anti spoof
filters using ACLs. I.E. don't allow packets from outside
my network to come in with a source IP of my address space
and
similarly don't allow packets out of my network unless the
source IP is that of my address space. Workable if you have
a
known aggregated address space - not so workable if you
don't know all your internal IP spaces or they are not
aggregatable
into a managable range of addresses.

Thanks,

Ian
http://ccie4u.com
Rack Rentals starting at only $12 before discount

> If yo uare the victim of a smurf attack, you will be
> receiving a large number of icmp echo-replies from valid
> source addresses. If you are the victim of a fraggle
> attack you will be receiving a large number of UDP echo
> replies from valid source addresses.
>
> unicast RPF does not help here, the best solution is to
> rate limit incoming echo replies.
>
> Chris
>
>
> On 1/15/06, midatlanticnet@gmail.com
> <midatlanticnet@gmail.com> wrote: >
> > i saw somewhere on this message board a solution to
> > Smurf attacks. That solution used 8 lines in an extended
> > ACL's permiting ICMP and UDP echo and echo-reply, then
> rate limited the ACL using CAR. Here is my mine question:
> > > If I want to limit a smurf attack to a max of 128K,
> > and normal 8kbps using CAR...why not use the "verify
> > unicast" command on the interface and have that point to
> a permit any any ACL...then rate limit that ACL to the
> > above parameters.
> >
> > -Chris
> >
> >
> __________________________________________________________
> > _____________ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> __________________________________________________________
> _____________ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Ian Stong
http://www.ccie4u.com
"Rack Rentals and Lab Scenarios starting at only $12"
support@ccie4u.com

_________________________________________

Check your Email accounts at MyEmail.com

Login from home, work, school. Anywhere!

• Next message: Mike O: "Re: OT-switch MAC addresses"
• Previous message: Howard C. Berkowitz: "Re: request"
• Next in thread: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Maybe reply: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Maybe reply: istong@stong.org: "Re: smurf attacks and other DOS attacks"
• Maybe reply: Chris Lewis: "Re: smurf attacks and other DOS attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3