RE: SMURF ATTACK

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Fri Jul 28 2006 - 10:16:17 ART

• Next message: Jens Petter: "RE: Bridge is still a valid CCIE topic now?"
• Previous message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Maybe in reply to: David Redfern \(AU\): "SMURF ATTACK"
• Next in thread: David Redfern \(AU\): "RE: SMURF ATTACK"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi David.

Please look at this link
http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html

They use only 2 lines, for the SMURF Attack
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply

The UDP Part that you have is for Fraggle attacks
Please see this post also
http://www.groupstudy.com/archives/ccielab/200604/msg00843.html
Has a great simulation of a Smurf Attack and also Cris Explains the
differences very well

Hope that help
Victor.-

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de David
Redfern (AU)
Enviado el: Jueves, 27 de Julio de 2006 06:47 p.m.
Para: ccielab@groupstudy.com
Asunto: SMURF ATTACK

Hi Guys,

I've seen a few different acl's for preventing smurf attacks to your
internal network from the backbone.

Although I'm not sure of the best to use.

Just wondering what everyone thinks of one I have come up with below.

The first 4 lines block smurf attacks using my internal network as the
reflector.
(traffic to the network and broadcast address of any of my subnets)

The next 2 lines block my from being the final target of the smurf
attack.
(as this reply could be coming from anywhere and destined to any of my
internal hosts 'any any' is used)

The problem I see is that lines 5 and 6 this will block my internal
pings to the backbone.
Although the backbone can still ping my internal routers so I'm not sure
if this is a problem at all.

What do you guys think.

Can you see any problems with this or is there a better one?

Applied Inbound

deny icmp any 0.0.0.255 255.255.255.0 echo
deny icmp any 0.0.0.0 255.255.255.0 echo
deny udp any 0.0.0.255 255.255.255.0 eq echo
deny udp any 0.0.0.0 255.555.255.0 eq echo
deny icmp any any echo reply
deny upd eny eq echo any
permit any any

****************************************************************************
*
*
 - NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally
privileged information. If you have received this email in error, please
notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any
attachments for viruses. Under no circumstances do we accept liability for
any loss or damage which may result from your receipt of this message or any
attachments.
****************************************************************************
*
*

• Next message: Jens Petter: "RE: Bridge is still a valid CCIE topic now?"
• Previous message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Maybe in reply to: David Redfern \(AU\): "SMURF ATTACK"
• Next in thread: David Redfern \(AU\): "RE: SMURF ATTACK"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART