Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Dusty (dustygoody@gmail.com)
Date: Wed Aug 23 2006 - 19:14:10 ART

You should carefully think of the best solution for the question. Here is
the CCO link for Document ID: 13609 for further reading. It is a very good
source for understanding DoS attack.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml

Dusty

On 8/23/06, Scott Morris <swm@emanon.com> wrote:
>
> I'll stick with the answer of "it depends" :)
>
> in your first one, you are assuming that all links are /24. Which may be
> true, but you'll have to look at your topology to assess that!
> in the second one, it certainly blocks it all, which again may or may not
> be what you want to accomplish.
>
> There is NO SINGLE answer!
>
>
> Scott Morris, *CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
> #153**, CISSP, et al.*
> *CCSI/JNCI-M/JNCI-J*
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> ------------------------------
> *From:* Aamir Aziz [mailto:aamiraz77@gmail.com]
> *Sent:* Wednesday, August 23, 2006 3:11 PM
> *To:* David Mitchell
> *Cc:* Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
> David Redfern (AU); ccielab@groupstudy.com
>
> *Subject:* Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
> Hi all
>
> Many thanks for the all the replies. Ok so if i build the following ACL
> (lets say on edge router) to protect myself from being the REFLECTOR and the
> VICTIM for SMURF/Fraggle attack would this work:
>
> deny icmp any 0.0.0.255 255.255.255.0 echo
> deny icmp any 0.0.0.0 255.255.255.0 echo
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any 0.0.0.0
> 255.255.255.0 echo-reply
> deny udp any any eq echo
> deny udp any eq echo any
> permit ip any any
>
> or this one (from
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml#topic3
> )
>
> deny icmp any any echo
> deny icmp any any echo-reply
> deny udp any any eq echo
> deny udp any eq echo any
> permit ip any any
>
> Which of them would work? If both then which is appropriate for CCIE lab,
> if neither then what is missing here.
>
> Many thanks
> Aamir
>
>
>
> On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
> >
> > If my understanding of Smurf attacks is correct, your strategy would
> > succeed in stopping you from being the REFLECTOR, but not the VICTIM.
> >
> > If you are the VICTIM of a Smurf attack, the packets you will be seeing
> > will be unicast icmp echo-reply packets sourced from the REFLECTOR to
> > your address. This would be because the attacker spoofed your address
> > range and sent the icmp echo-requests to the reflector's broadcast
> > address, resulting in the reflector responding with the echo-reply's to
> > your addresses.
> >
> > If my understanding is correct, you would need to filter out icmp
> > echo-reply packets on the edge to stop this.
> >
> > Hopefully I understand this properly. So far I'm a two-time Security
> > lab failure!!
> >
> > - Dave
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Scott Morris
> > Sent: Wednesday, August 23, 2006 12:17 PM
> > To: 'Aamir Aziz'
> > Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
> > Redfern (AU)'; ccielab@groupstudy.com
> > Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
> >
> > If you are looking to stop an attack TO a router, I'd use:
> >
> > no ip directed-broadcast (on each interface)
> > no service udp-small-servers (which will shut down those udp ports)
> >
> > I believe both may be defaults now (Cisco is occasionally nice).
> >
> > If you have to filter on an edge, which makes more sense, I believe both
> >
> > Brian and I have offered multiple methods of accomplishing this. One is
> > not
> > necessarily better than another. Below, I lay out the port numbers for
> > you,
> > so build an ACL matching each of those in udp as well as ICMP echo
> > coming
> > in.
> >
> > Building the ACL shouldn't be a difficult exercise as you know the
> > information below. In the middle of your exam (IMHO) you won't be
> > required
> > to memorize the multiple ports that a Fraggle attack may go after unless
> >
> > it
> > is mentioned someplace on the DocCD. So build away! Come up with one
> > and
> > let's see what you got!
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > JNCIE
> > #153, CISSP, et al.
> > CCSI/JNCI-M/JNCI-J
> > IPExpert VP - Curriculum Development
> > IPExpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com
> >
> >
> > _____
> >
> > From: Aamir Aziz [mailto:aamiraz77@gmail.com]
> > Sent: Wednesday, August 23, 2006 10:09 AM
> > To: swm@emanon.com
> > Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
> > (AU);
> > ccielab@groupstudy.com
> > Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
> >
> >
> > Dear Mr.Brian & Mr.Scott,
> >
> > Thank you for the valuable input, i think it was really helpfull but
> > lets
> > say in the exam if they clearly mention that it is a SMURF/Fraggle
> > attack
> > and we need to stop it using ACL then in your expert opinion what ACL
> > should
> > we use on the router?
> >
> > Thanks
> > Aamir
> >
> >
> > On 8/22/06, Scott Morris <swm@emanon.com> wrote:
> >
> > Well, look at the two attacks and what they are first.
> >
> > Smurf is an ICMP-based attack. Typically the echo-request packets are
> > sent
> > TO the subnet-broadcast address. This is simply stopped (and by
> > default)
> > with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
> > router closer to the Internet link using an extended ACL.
> >
> > Being that most Smurf attacks are also from spoofed addresses, "ip
> > verify
> > unicast reverse-path" or "ip verify unicast source reachable via any"
> > could
> > help. (<--RFC 2267) You could also rate-limit the information, but this
> > isn't the best solution!
> >
> > Fraggle is the same type of attack, except that it involves UDP packets
> > instead of ICMP ones. Typically it's directed at common unix-based echo
> >
> > ports (7, 13, 17, 19). So the same methods will protect you.
> >
> > For TCP SYN attacks, that usually involves a bunch of embryonic
> > (half-open)
> > connections going on. Short of your router(s) monitoring the number of
> > initial TCP open requests that come in, there's not many good ways to do
> >
> > this! Firewalls (including CBAC) are certainly the best ways, but not
> > on
> > the R&S exam!!!
> >
> > You may have TCP Intercept on your exam covered by some of the more
> > generic
> > security features listed on the Blueprint! Look in the same security
> > command reference where the RPF information is at, and you'll see "ip
> > tcp
> > intercept" for some information on that.
> >
> > While you could rate-limit with an acl matching "tcp any any syn". Like
> >
> > many things which thing you choose as your solution may depend on
> > requirements of the lab!
> >
> > Just my thoughts...
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> > JNCIE
> > #153, CISSP, et al.
> > CCSI/JNCI-M/JNCI-J
> > IPExpert VP - Curriculum Development
> > IPExpert Sr. Technical Instructor
> > smorris@ipexpert.com
> > http://www.ipexpert.com <http://www.ipexpert.com>
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Chris Broadway
> > Sent: Tuesday, August 22, 2006 11:21 AM
> > To: Peter Plak
> > Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> > ccielab@groupstudy.com
> > Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
> >
> > Group,
> >
> > Can we get the "Brians" and/or Scott to give us their opinion on the
> > definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
> > everyone
> > has an opinion but have not heard from the ones I consider to be the
> > most
> > trusted sources.
> >
> > -Broadway
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > <http://www.groupstudy.com/list/CCIELab.html >
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART