From: Tony Paterra (apaterra@gmail.com)
Date: Tue Jul 18 2006 - 16:19:42 ART
Doing some more research based upon the answers I've received
(thanks!!) I am seeing that a Cisco recommendation is to build ACLs
that will help you trace/categorize your traffic like so...
Extended IP access list TEMP_LOG_INPUT
10 permit icmp any any echo-reply log-input
50 permit udp any any eq echo log-input
60 permit tcp any any established log-input (2 matches)
70 permit tcp any any log-input
80 permit ip any any (21 matches)
This will help categorize whether you are the ultimate target in a
SMURF attack (i.e. receiving large numbers of ICMP echo-replies, TCP
SYN floods, etc...).
The recommendation is to apply this access-list:
" attach the log-input keyword to it, and apply the access list
outbound on the interface through which the attack stream is sent
toward its ultimate target. The log entries produced by the access
list identify the router interface through which the traffic arrives,
and, if the interface is a multipoint connection, give the Layer 2
address of the device from which it is received."
from: http://www.cisco.com/warp/public/707/22.html#topic5
New question... Why apply this ACL outbound close to the ultimate
target? I was originally thinking that this should be applied inbound
on your WAN link... Does applying it closer to the ultimate target
take care of the case where you have multiple WAN links? (i.e.
log-input will log the interface where the packet entered the
router?).
Thanks in advance,
Tony
On 7/18/06, Curt Girardin <curt.girardin@chicos.com> wrote:
>
> Hi Tony,
>
> What you're describing is how to prevent yourself from being a
> SMURF-attack amplifier. The actual victim is the person that actually
> owns the spoofed source address in the icmp echo-request, thus being
> bombarded with echo-replies.
>
> However your question will be invaluable to me one day, as I now know
> how to find the source of spoofed packets within my network; an
> irritation in the past.
>
> My guess is that the ip source-track is less processor intensive, since
> an ACL 'log-input' will likely be logging every packet in a smurf attack
> or a DDOS syn attack into the logging buffer.
>
> Thanks,
>
> Curt
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Tony Paterra
> Sent: Tuesday, July 18, 2006 2:28 PM
> To: Cisco certification
> Subject: SMURF attack mitigation features...
>
> All,
> I'm curious as to what SMURF attack mitigation features there are...
> If I am correct in my understanding of a SMURF attack it is set up as
> follows:
>
> The attacker is on a remote segment using a directed broadcast at a
> target on your LAN segment
>
> How can we mitigate these attacks?
>
> What I'm aware of (please tell me if I'm off-base or should be doing
> more/less)...
>
> -Enable unicast RPF on your WAN interface (stops receiving fake source
> addresses)
> -No ip directed-broadcast under your LAN interface (stops sending
> off-network broadcasts) -Put an ACL on the WAN interface that does a
> 'log-input' on the end or also ip source-track (lets you figure out
> where your attacker is)
>
> What is the difference between ip source-track and doing a permit ip any
> any log-input in an ACL?
>
> Thanks in advance!!!
> --
> Tony Paterra
> apaterra@gmail.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART