From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Sat Apr 15 2006 - 02:22:59 GMT-3
Chris many thanks for explaining this, I was able to configure this
using the IEWB Lab 6 topology
Rack1R4(config-router)#
Apr 15 01:17:50.958: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
Apr 15 01:17:50.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
Apr 15 01:17:50.998: ICMP: echo reply rcvd, src 204.12.1.254, dst
191.1.4.4
Rack1R4(config-router)#
Apr 15 01:17:52.958: ICMP: echo reply rcvd, src 191.1.34.3, dst 191.1.4.4
Apr 15 01:17:52.970: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
Apr 15 01:17:52.986: ICMP: echo reply rcvd, src 204.12.1.254, dst
191.1.4.4
Rack1R4(config-router)#
Apr 15 01:17:54.958: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
Apr 15 01:17:54.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
Apr 15 01:17:54.986: ICMP: echo reply rcvd, src 204.12.1.254, dst
191.1.4.4
Rack1R4(config-router)#
Apr 15 01:17:56.962: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
Apr 15 01:17:56.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
Apr 15 01:17:56.990: ICMP: echo reply rcvd, src 204.12.1.254, dst
191.1.4.4
Rack1R5#ping ip 204.12.1.255 source 191.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.12.1.255, timeout is 2 seconds:
Packet sent with a source address of 191.1.5.5
Apr 15 01:17:51.312: NAT: i: icmp (191.1.5.5, 1780) -> (204.12.1.255,
1780) [50]
Apr 15 01:17:51.312: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [50].
Apr 15 01:17:53.312: NAT: i: icmp (191.1.5.5, 1781) -> (204.12.1.255,
1781) [51]
Apr 15 01:17:53.312: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [51].
Apr 15 01:17:55.315: NAT: i: icmp (191.1.5.5, 1782) -> (204.12.1.255,
1782) [52]
Apr 15 01:17:55.315: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [52].
Apr 15 01:17:57.318: NAT: i: icmp (191.1.5.5, 1783) -> (204.12.1.255,
1783) [53]
Apr 15 01:17:57.318: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [53].
Apr 15 01:17:59.318: NAT: i: icmp (191.1.5.5, 1784) -> (204.12.1.255,
1784) [54]
Apr 15 01:17:59.318: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [54].
jejeje Thanks, you and the Brians COD opened my eyes for nat..
And now question is this a Smurf Attack??
Victor.
Chris Lewis escribis:
Hmmm,
If I may, I'd like to re-phrase this question a little.
The SMURF attack involves three parties, the attacker, the reflector network
and the victim. The attacker sends spoofed packets with the source address
of the attackee to a subnet broadcast address in a reflector network. When
the reflector network receives this spoofed packet, all hosts on the subnet
send an echo-reply to the victom network. So if you are a victim, you will
see lots of echo-reply packets coming in toyou destined to your network
address space.
A similar attack is called Fraggle which uses UDP echo instead of ICMP echo.
So from what you state, I interpret the question to be;
1. How do you protect your internal network from a SMURF attack
2. How do you stop your network from being a reflector for either a SMURF or
Fraggle attack.
The first is to configure an ACL denying icmp echo-replies, or at least
rate-limiting them.
The second is to configure no ip directed broadcasts
Chris
On 4/8/06, emmanuel daniel <emmanueldan@gmail.com> wrote:
Hi
i have two questions in access list if we want to deny smruf attack in
dos
what are the packet i should deny
& what are the packets i should deny for protocol flooding in icmp and udp
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3