Re: ICMP Flooding vs SMURF Attack

From: Aamir Aziz (aamiraz77@gmail.com)
Date: Sun Aug 20 2006 - 17:39:11 ART

• Next message: Aamir Aziz: "Re: Lock and Key Access List"
• Previous message: Plank, Jason: "RE: Break up of points for CCIE RS Lab"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes i agree with you that the UDP source is missing here, but the question
is what is most suitable or lets say what is required in the lab, how about
if we go for something like this:

deny icmp any 0.0.0.255 255.255.255.0 echo
deny icmp any 0.0.0.0 255.255.255.0 echo
deny icmp any 0.0.0.255 255.255.255.0 echo-reply
deny icmp any 0.0.0.0 255.255.255.0 echo-reply
deny udp any 0.0.0.255 255.255.255.0 eq echo
deny udp 0.0.0.255 255.255.255.0 eq echo any
deny udp any 0.0.0.0 255.255.255.0 eq echo
deny udp 0.0.0.0 255.255.255.0 eq echo any
permit ip any any

this one makes any sense?

Thanks
Aamir

> >

On 8/20/06, Peter Plak <plukkie@gmail.com> wrote:
>
> Hi Aziz,
>
> I have also spent lot of time to this task. I found a link which enters
> the explanation of smurf / fragle and protection best so far.
> http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html
>
> <http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html+>
>
> If I look at your list, I would say, almost there. What in my opinion
> misses is the udp source eq echo.
> I would replace the udp lines with any any. Cause udp echo is rarely used
> nowadays, it's likely that you will have many hits compared to icmp.
>
> So, I think the list totally will be then:
> deny icmp any 0.0.0.255 255.255.255.0 echo
> deny icmp any 0.0.0.0 255.255.255.0 echo
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
> deny upd any any eq echo
> deny upd any eq echo any
> permit ip any any
>
> What you think?
>
>
> On 8/20/06, Aamir Aziz <aamiraz77@gmail.com > wrote:
>
> > Hi there ppl
>
> I just wanted to clear something, if the tast says that certain router is
> experiencing attack via ICMP and UDP flooding does it mean SMURF ATTACK?
> and would the following ACL work to mitigate this flooding issue?
>
> deny icmp any 0.0.0.255 255.255.255.0 echo
> deny icmp any 0.0.0.0 255.255.255.0 echo
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any 0.0.0.0
> 255.255.255.0 echo-reply
> deny upd any 0.0.0.255 255.255.255.0 echo
> deny upd any 0.0.0.0 255.255.255.0 echo
> permit ip any any
>
> Thanks
> Aamir
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Aamir Aziz: "Re: Lock and Key Access List"
• Previous message: Plank, Jason: "RE: Break up of points for CCIE RS Lab"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART