RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Aug 22 2006 - 15:32:26 ART

• Next message: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Previous message: allboutcisco: "Re: Sending specific SNMP traps to NMS host"
• Next in thread: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Brian McGahan: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        A smurf attack is when a host sends ICMP echos to a directed
broadcast address with a spoofed source. All devices accepting ICMP on
the target network reply with ICMP echo-reply back to the spoofed
source. The spoofed source is the victim of the attack. To avoid this
attack you can either filter ICMP echo, echo-reply, or disable directed
broadcast. In newer IOS versions directed broadcast is disabled by
default.

        A fraggle attack is the same as a smurf attack except it uses
UDP echo instead of ICMP echo. Disabling directed broadcast will
prevent this attack as well.

        The original question is very nondescript with the notion that a
"router is experiencing attack via ICMP and UDP flooding". Depending on
what specific type of traffic it is there are a variety of options. You
could filter ICMP and UDP altogether, disable UDP small services like
echo (which by default should be off), you could rate limit or police
the traffic, you could disable ip unreachable, ip mask-reply... etc. So
if this were an exam question you would ultimately have to get more
clarification on what an "ICMP and UDP flooding" attack actually means.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Chris Broadway
> Sent: Tuesday, August 22, 2006 10:21 AM
> To: Peter Plak
> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Group,
>
> Can we get the "Brians" and/or Scott to give us their opinion on the
> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
> everyone
> has an opinion but have not heard from the ones I consider to be the
most
> trusted sources.
>
> -Broadway
>
>

• Next message: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Previous message: allboutcisco: "Re: Sending specific SNMP traps to NMS host"
• Next in thread: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Brian McGahan: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Mitchell: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: David Redfern \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Scott Morris: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART