From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Aug 23 2006 - 12:09:52 ART
Like I said there are a number of ways. Assuming the sources
are spoofed you can either use a mechanism like uRPF to drop the traffic
based on the routing lookup, or you can filter out traffic originated
from your own address space at your network edge. You could also filter
out ICMP echo, echo-reply, and UDP echo, or disable ip
directed-broadcast (which should be off by default anyways). You could
also shape or police the traffic to a rate at which DoS is not possible.
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Aamir Aziz
> Sent: Wednesday, August 23, 2006 9:09 AM
> To: swm@emanon.com
> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
> (AU); ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Dear Mr.Brian & Mr.Scott,
>
> Thank you for the valuable input, i think it was really helpfull but
lets
> say in the exam if they clearly mention that it is a SMURF/Fraggle
attack
> and we need to stop it using ACL then in your expert opinion what ACL
> should
> we use on the router?
>
> Thanks
> Aamir
>
>
> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
> >
> > Well, look at the two attacks and what they are first.
> >
> > Smurf is an ICMP-based attack. Typically the echo-request packets
are
> > sent
> > TO the subnet-broadcast address. This is simply stopped (and by
> default)
> > with "no ip directed-broadcast" on a LAN. Or you can filter on an
edge
> > router closer to the Internet link using an extended ACL.
> >
> > Being that most Smurf attacks are also from spoofed addresses, "ip
> verify
> > unicast reverse-path" or "ip verify unicast source reachable via
any"
> > could
> > help. (<--RFC 2267) You could also rate-limit the information, but
this
> > isn't the best solution!
> >
> > Fraggle is the same type of attack, except that it involves UDP
packets
> > instead of ICMP ones. Typically it's directed at common unix-based
echo
> > ports (7, 13, 17, 19). So the same methods will protect you.
> >
> > For TCP SYN attacks, that usually involves a bunch of embryonic
> > (half-open)
> > connections going on. Short of your router(s) monitoring the number
of
> > initial TCP open requests that come in, there's not many good ways
to do
> > this! Firewalls (including CBAC) are certainly the best ways, but
not
> on
> > the R&S exam!!!
> >
> > You may have TCP Intercept on your exam covered by some of the more
> > generic
> > security features listed on the Blueprint! Look in the same
security
> > command reference where the RPF information is at, and you'll see
"ip
> tcp
> > intercept" for some information on that.
> >
> > While you could rate-limit with an acl matching "tcp any any syn".
Like
> > many things which thing you choose as your solution may depend on
> > requirements of the lab!
> >
> > Just my thoughts...
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> > #153, CISSP, et al.
> > CCSI/JNCI-M/JNCI-J
> > IPExpert VP - Curriculum Development
> > IPExpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Chris Broadway
> > Sent: Tuesday, August 22, 2006 11:21 AM
> > To: Peter Plak
> > Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> > ccielab@groupstudy.com
> > Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
> >
> > Group,
> >
> > Can we get the "Brians" and/or Scott to give us their opinion on the
> > definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
> > everyone
> > has an opinion but have not heard from the ones I consider to be the
> most
> > trusted sources.
> >
> > -Broadway
> >
> >
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART