Re: ICMP Flooding vs SMURF Attack

From: Peter Plak (plukkie@gmail.com)
Date: Sun Aug 20 2006 - 18:46:41 ART

• Next message: sameer inam: "RE: Voice vlan"
• Previous message: Victor Cappuccio: "RE: Lock and Key Access List"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Is it possible to have a udp with source echo, sourced from the network (
x.x.x.0) or broadcast (x.x.x.255)?
The source udp echo is probably from the reflector, so it's replied to the
destination network or broadcast I would presume.

Then I would say for the udp streams it's:

deny udp any 0.0.0.255 255.255.255.0 eq echo
deny udp any 0.0.0.0 <http://0.0.0.255/> 255.255.255.0 eq echo
 deny udp any eq echo 0.0.0.255 255.255.255.0
deny udp any eq echo 0.0.0.0 <http://0.0.0.255/> 255.255.255.0

gr

On 8/20/06, Aamir Aziz <aamiraz77@gmail.com> wrote:
>
> Yes i agree with you that the UDP source is missing here, but the
> question is what is most suitable or lets say what is required in the lab,
> how about if we go for something like this:
>
> deny icmp any 0.0.0.255 255.255.255.0 echo
> deny icmp any 0.0.0.0 255.255.255.0 echo
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
> deny udp any 0.0.0.255 255.255.255.0 eq echo
> deny udp 0.0.0.255 255.255.255.0 eq echo any
> deny udp any 0.0.0.0 255.255.255.0 eq echo
> deny udp 0.0.0.0 255.255.255.0 eq echo any
> permit ip any any
>
> this one makes any sense?
>
> Thanks
> Aamir
>
> > >
>
>
> On 8/20/06, Peter Plak <plukkie@gmail.com> wrote:
> >
> > Hi Aziz,
> >
> > I have also spent lot of time to this task. I found a link which enters
> > the explanation of smurf / fragle and protection best so far.
> > http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html
> >
> > <http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html+>
> >
> > If I look at your list, I would say, almost there. What in my opinion
> > misses is the udp source eq echo.
> > I would replace the udp lines with any any. Cause udp echo is rarely
> > used nowadays, it's likely that you will have many hits compared to icmp.
> >
> > So, I think the list totally will be then:
> > deny icmp any 0.0.0.255 255.255.255.0 echo
> > deny icmp any 0.0.0.0 255.255.255.0 echo
> > deny icmp any 0.0.0.255 255.255.255.0 echo-reply
> > deny icmp any 0.0.0.0 255.255.255.0 echo-reply
> > deny upd any any eq echo
> > deny upd any eq echo any
> > permit ip any any
> >
> > What you think?
> >
> >
> > On 8/20/06, Aamir Aziz < aamiraz77@gmail.com > wrote:
> >
> > > Hi there ppl
> >
> > I just wanted to clear something, if the tast says that certain router
> > is
> > experiencing attack via ICMP and UDP flooding does it mean SMURF ATTACK?
> >
> > and would the following ACL work to mitigate this flooding issue?
> >
> > deny icmp any 0.0.0.255 255.255.255.0 echo
> > deny icmp any 0.0.0.0 255.255.255.0 echo
> > deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any 0.0.0.0
> > 255.255.255.0 echo-reply
> > deny upd any 0.0.0.255 255.255.255.0 echo
> > deny upd any 0.0.0.0 255.255.255.0 echo
> > permit ip any any
> >
> > Thanks
> > Aamir
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: sameer inam: "RE: Voice vlan"
• Previous message: Victor Cappuccio: "RE: Lock and Key Access List"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART