From: Aamir Aziz (aamiraz77@gmail.com)
Date: Wed Aug 23 2006 - 11:08:45 ART
Dear Mr.Brian & Mr.Scott,
Thank you for the valuable input, i think it was really helpfull but lets
say in the exam if they clearly mention that it is a SMURF/Fraggle attack
and we need to stop it using ACL then in your expert opinion what ACL should
we use on the router?
Thanks
Aamir
On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>
> Well, look at the two attacks and what they are first.
>
> Smurf is an ICMP-based attack. Typically the echo-request packets are
> sent
> TO the subnet-broadcast address. This is simply stopped (and by default)
> with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
> router closer to the Internet link using an extended ACL.
>
> Being that most Smurf attacks are also from spoofed addresses, "ip verify
> unicast reverse-path" or "ip verify unicast source reachable via any"
> could
> help. (<--RFC 2267) You could also rate-limit the information, but this
> isn't the best solution!
>
> Fraggle is the same type of attack, except that it involves UDP packets
> instead of ICMP ones. Typically it's directed at common unix-based echo
> ports (7, 13, 17, 19). So the same methods will protect you.
>
> For TCP SYN attacks, that usually involves a bunch of embryonic
> (half-open)
> connections going on. Short of your router(s) monitoring the number of
> initial TCP open requests that come in, there's not many good ways to do
> this! Firewalls (including CBAC) are certainly the best ways, but not on
> the R&S exam!!!
>
> You may have TCP Intercept on your exam covered by some of the more
> generic
> security features listed on the Blueprint! Look in the same security
> command reference where the RPF information is at, and you'll see "ip tcp
> intercept" for some information on that.
>
> While you could rate-limit with an acl matching "tcp any any syn". Like
> many things which thing you choose as your solution may depend on
> requirements of the lab!
>
> Just my thoughts...
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chris Broadway
> Sent: Tuesday, August 22, 2006 11:21 AM
> To: Peter Plak
> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Group,
>
> Can we get the "Brians" and/or Scott to give us their opinion on the
> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
> everyone
> has an opinion but have not heard from the ones I consider to be the most
> trusted sources.
>
> -Broadway
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART