From: Peter Plak (plukkie@gmail.com)
Date: Sun Aug 20 2006 - 14:27:36 ART
Hi Aziz,
I have also spent lot of time to this task. I found a link which enters the
explanation of smurf / fragle and protection best so far.
http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html
If I look at your list, I would say, almost there. What in my opinion misses
is the udp source eq echo.
I would replace the udp lines with any any. Cause udp echo is rarely used
nowadays, it's likely that you will have many hits compared to icmp.
So, I think the list totally will be then:
deny icmp any 0.0.0.255 255.255.255.0 echo
deny icmp any 0.0.0.0 255.255.255.0 echo
deny icmp any 0.0.0.255 255.255.255.0 echo-reply
deny icmp any 0.0.0.0 255.255.255.0 echo-reply
deny upd any any eq echo
deny upd any eq echo any
permit ip any any
What you think?
On 8/20/06, Aamir Aziz <aamiraz77@gmail.com> wrote:
>
> Hi there ppl
>
> I just wanted to clear something, if the tast says that certain router is
> experiencing attack via ICMP and UDP flooding does it mean SMURF ATTACK?
> and would the following ACL work to mitigate this flooding issue?
>
> deny icmp any 0.0.0.255 255.255.255.0 echo
> deny icmp any 0.0.0.0 255.255.255.0 echo
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any 0.0.0.0
> 255.255.255.0 echo-reply
> deny upd any 0.0.0.255 255.255.255.0 echo
> deny upd any 0.0.0.0 255.255.255.0 echo
> permit ip any any
>
> Thanks
> Aamir
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART