Re: access-list configuration

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Sat Apr 15 2006 - 10:23:59 GMT-3

• Next message: kaelwyoung@netscape.net: "CCIE Written 350-001 -recertify"
• Previous message: Petr Lapukhov: "Re: Specific OSPF Route cost.."
• Maybe in reply to: emmanuel daniel: "access-list configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I don't know that topology, so I cannot comment with full information,
however, the first trace from Rack1R4 is indicative of a SMURF attack,
assuming 191.1.4.4 is an address within the networks served by Rack1R4. My
assumption is that the attacker has sent a directed broadcast to networks
191.1.13.0 and 204.12.1.0 (which exist on some other router with IP
reachability to Rack1R4), with the spoofed source address of 191.1.4.4. once
those hosts receive that spoofed packet, all hosts on those networks send
echo-replies to 191.1.4.4

Chris

On 4/15/06, Victor Cappuccio <cvictor@protokolgroup.com> wrote:
>
> Chris many thanks for explaining this, I was able to configure this using
> the IEWB Lab 6 topology
>
> Rack1R4(config-router)#
> Apr 15 01:17:50.958: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
> Apr 15 01:17:50.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
> Apr 15 01:17:50.998: ICMP: echo reply rcvd, src 204.12.1.254, dst
> 191.1.4.4
> Rack1R4(config-router)#
> Apr 15 01:17:52.958: ICMP: echo reply rcvd, src 191.1.34.3, dst 191.1.4.4
> Apr 15 01:17:52.970: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
> Apr 15 01:17:52.986: ICMP: echo reply rcvd, src 204.12.1.254, dst
> 191.1.4.4
> Rack1R4(config-router)#
> Apr 15 01:17:54.958: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
> Apr 15 01:17:54.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
> Apr 15 01:17:54.986: ICMP: echo reply rcvd, src 204.12.1.254, dst
> 191.1.4.4
> Rack1R4(config-router)#
> Apr 15 01:17:56.962: ICMP: echo reply rcvd, src 191.1.13.3, dst 191.1.4.4
> Apr 15 01:17:56.974: ICMP: echo reply rcvd, src 204.12.1.6, dst 191.1.4.4
> Apr 15 01:17:56.990: ICMP: echo reply rcvd, src 204.12.1.254, dst
> 191.1.4.4
>
> Rack1R5#ping ip 204.12.1.255 source 191.1.5.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 204.12.1.255, timeout is 2 seconds:
> Packet sent with a source address of 191.1.5.5
>
> Apr 15 01:17:51.312: NAT: i: icmp (191.1.5.5, 1780) -> (204.12.1.255,
> 1780) [50]
> Apr 15 01:17:51.312: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [50].
> Apr 15 01:17:53.312: NAT: i: icmp (191.1.5.5, 1781) -> (204.12.1.255,
> 1781) [51]
> Apr 15 01:17:53.312: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [51].
> Apr 15 01:17:55.315: NAT: i: icmp (191.1.5.5, 1782) -> (204.12.1.255,
> 1782) [52]
> Apr 15 01:17:55.315: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [52].
> Apr 15 01:17:57.318: NAT: i: icmp (191.1.5.5, 1783) -> (204.12.1.255,
> 1783) [53]
> Apr 15 01:17:57.318: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [53].
> Apr 15 01:17:59.318: NAT: i: icmp (191.1.5.5, 1784) -> (204.12.1.255,
> 1784) [54]
> Apr 15 01:17:59.318: NAT: s=191.1.5.5->191.1.4.4, d=204.12.1.255 [54].
>
>
> jejeje Thanks, you and the Brians COD opened my eyes for nat..
> And now question is this a Smurf Attack??
>
> Victor.
>
>
>
> Chris Lewis escribis:
>
> Hmmm,
>
> If I may, I'd like to re-phrase this question a little.
>
> The SMURF attack involves three parties, the attacker, the reflector
network
> and the victim. The attacker sends spoofed packets with the source address
> of the attackee to a subnet broadcast address in a reflector network. When
> the reflector network receives this spoofed packet, all hosts on the subnet
> send an echo-reply to the victom network. So if you are a victim, you will
> see lots of echo-reply packets coming in toyou destined to your network
> address space.
>
> A similar attack is called Fraggle which uses UDP echo instead of ICMP
echo.
>
> So from what you state, I interpret the question to be;
> 1. How do you protect your internal network from a SMURF attack
> 2. How do you stop your network from being a reflector for either a SMURF
or
> Fraggle attack.
>
> The first is to configure an ACL denying icmp echo-replies, or at least
> rate-limiting them.
> The second is to configure no ip directed broadcasts
>
> Chris
>
>
> On 4/8/06, emmanuel daniel <emmanueldan@gmail.com> <emmanueldan@gmail.com>
wrote:
>
>
> Hi
>
> i have two questions in access list if we want to deny smruf attack in
> dos
> what are the packet i should deny
> & what are the packets i should deny for protocol flooding in icmp and udp
>
> _______________________________________________________________________
> Subscription information may be found
at:http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html

• Next message: kaelwyoung@netscape.net: "CCIE Written 350-001 -recertify"
• Previous message: Petr Lapukhov: "Re: Specific OSPF Route cost.."
• Maybe in reply to: emmanuel daniel: "access-list configuration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:57 GMT-3