From: David Redfern \(AU\) (David.Redfern@didata.com.au)
Date: Thu Aug 24 2006 - 23:08:54 ART
Glad to share my thoughts! As crazy and wrong as they may be.
Making sure logging is turned on, my acl for this SPECIFIC question
applied inbound would be something like this.
Rack1R1#sh access-lists
Extended IP access list ICMPFLOOD_AND_SMURF
10 permit icmp any 0.0.0.0 255.255.255.0 echo log-input
20 permit icmp any 0.0.0.255 255.255.255.0 echo log-input
30 permit icmp any any echo-reply log-input
40 permit udp any 0.0.0.0 255.255.255.0 eq echo log-input
50 permit udp any 0.0.0.255 255.255.255.0 eq echo log-input
60 permit udp any eq echo any log-input
70 permit icmp any any log-input
80 permit ip any any
My thoughts are the following or each sequence number.
- 10 and 20 log smurf attacks to my network and subnet broadast
addresses using me as the reflector. Whilst I could have been more
specific with my acl subnet being 1.1.X.0 I don't thinks its necessary.
- 30 logs smurf attacks with my network as the end target (echo-replies)
that have come from a reflector network (anywhere) which have ANY
address in my network as the spoofed source. I don't know where they are
coming from and I don't know which host they are destined for so I must
use any. I see a lot of people include an echo-reply line destined for
the subnet and broadcast addresses which I don't understand as I don't
believe a smurf spoofed source will be this address, rather any address
inside my network. My any any echo-reply will catch all of these anyway.
I could include it but would it really assist!
-40 and 50. As this is for a nagle attack using me as the reflector and
not really a smurf I'm not sure its necessary, however will include it
just incase CISCO or the proctor classify a nagle as a smurf also. I see
almost everyone else includes this so didn't want to leave it out. I'd
ask the proctor whether he wants nagle attacks on this one also though.
-60 This is a nagle attack with me as the end target. Udp echo as the
source to any destination in my network.
-70 This will catch icmp floods to my network.
-80 Permit all else
I encourage criticism of this and alternate answers
-----Original Message-----
From: Scott Morris [mailto:swm@emanon.com]
Sent: Friday, 25 August 2006 2:09 AM
To: David Redfern (AU); ccielab@groupstudy.com
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
And so.... In the great spirit of learning, should you not come up with
a proposed solution as well? That way we can all benefit from the
thinking through of things!!!
While I do appreciate being singled out for opinions, and I'm sure Brian
Dennis and Brian McGahan do as well, bear in mind that the answers to
any given question don't necessarily count as the only ones, not should
they be looked at as something to memorize and treat as THE right
answer.
When learning any topic, the discussion and the thinking through things
is often where the best learning comes from.
So what things do you have there... You aren't trying to kill the
traffic according to your scenario, you're simply trying to log it. So
what are the pieces (there will only be permits I'm guessing) involved?
And is logging already setup? :)
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE #153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
David Redfern (AU)
Sent: Thursday, August 24, 2006 5:40 AM
To: ccielab@groupstudy.com
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
Guys,
As i think we can all agree that the answer may vary depending on the
question and requirements, i suggest we pose a few different
hyptothetical sample questions to each other, so that we can see how
certain KEYWORDS and requirementes affect the answer.
Here's one.
Internal network address range is 1.1.X.0/24 Router 1 has an E0/0 link
to the backbone (BB1)
Question
Your network has become extremely slow and you suspect a DOS attack
coming from BB1.
Create an acl which will log icmp flood/smurf attacks to your logging
buffer.
Create this acl on R1 in a manner which will assist you to distinguish
between these attacks wherever possible.
________________________________
From: Scott Morris [mailto:swm@emanon.com]
Sent: Thursday, 24 August 2006 6:09 AM
To: 'Aamir Aziz'; 'David Mitchell'
Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; David
Redfern (AU); ccielab@groupstudy.com
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
I'll stick with the answer of "it depends" :)
in your first one, you are assuming that all links are /24. Which may
be true, but you'll have to look at your topology to assess that!
in the second one, it certainly blocks it all, which again may or may
not be what you want to accomplish.
There is NO SINGLE answer!
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
JNCIE #153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
________________________________
From: Aamir Aziz [mailto:aamiraz77@gmail.com]
Sent: Wednesday, August 23, 2006 3:11 PM
To: David Mitchell
Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
David Redfern (AU); ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
Hi all
Many thanks for the all the replies. Ok so if i build the following ACL
(lets say on edge router) to protect myself from being the REFLECTOR and
the VICTIM for SMURF/Fraggle attack would this work:
deny icmp any 0.0.0.255 <http://0.0.0.255/> 255.255.255.0
<http://255.255.255.0/> echo deny icmp any 0.0.0.0 <http://0.0.0.0/>
255.255.255.0 <http://255.255.255.0/> echo deny icmp any 0.0.0.255
<http://0.0.0.255/> 255.255.255.0 <http://255.255.255.0/> echo-reply
deny icmp any 0.0.0.0 <http://0.0.0.0/> 255.255.255.0
<http://255.255.255.0/> echo-reply deny udp any any eq echo deny udp any
eq echo any permit ip any any
or this one (from
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149
ad6.shtml#topic3)
deny icmp any any echo
deny icmp any any echo-reply
deny udp any any eq echo
deny udp any eq echo any
permit ip any any
Which of them would work? If both then which is appropriate for CCIE
lab, if neither then what is missing here.
Many thanks
Aamir
On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
If my understanding of Smurf attacks is correct, your strategy
would
succeed in stopping you from being the REFLECTOR, but not the
VICTIM.
If you are the VICTIM of a Smurf attack, the packets you will be
seeing
will be unicast icmp echo-reply packets sourced from the
REFLECTOR to
your address. This would be because the attacker spoofed your
address
range and sent the icmp echo-requests to the reflector's
broadcast
address, resulting in the reflector responding with the
echo-reply's to
your addresses.
If my understanding is correct, you would need to filter out
icmp
echo-reply packets on the edge to stop this.
Hopefully I understand this properly. So far I'm a two-time
Security
lab failure!!
- Dave
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
Scott Morris
Sent: Wednesday, August 23, 2006 12:17 PM
To: 'Aamir Aziz'
Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty';
'David
Redfern (AU)'; ccielab@groupstudy.com
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND
SCOTT
If you are looking to stop an attack TO a router, I'd use:
no ip directed-broadcast (on each interface)
no service udp-small-servers (which will shut down those udp
ports)
I believe both may be defaults now (Cisco is occasionally nice).
If you have to filter on an edge, which makes more sense, I
believe both
Brian and I have offered multiple methods of accomplishing this.
One is
not
necessarily better than another. Below, I lay out the port
numbers for
you,
so build an ACL matching each of those in udp as well as ICMP
echo
coming
in.
Building the ACL shouldn't be a difficult exercise as you know
the
information below. In the middle of your exam (IMHO) you won't
be
required
to memorize the multiple ports that a Fraggle attack may go
after unless
it
is mentioned someplace on the DocCD. So build away! Come up
with one
and
let's see what you got!
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713,
JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
_____
From: Aamir Aziz [mailto:aamiraz77@gmail.com]
Sent: Wednesday, August 23, 2006 10:09 AM
To: swm@emanon.com
Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David
Redfern
(AU);
ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND
SCOTT
Dear Mr.Brian & Mr.Scott,
Thank you for the valuable input, i think it was really helpfull
but
lets
say in the exam if they clearly mention that it is a
SMURF/Fraggle
attack
and we need to stop it using ACL then in your expert opinion
what ACL
should
we use on the router?
Thanks
Aamir
On 8/22/06, Scott Morris <swm@emanon.com> wrote:
Well, look at the two attacks and what they are first.
Smurf is an ICMP-based attack. Typically the echo-request
packets are
sent
TO the subnet-broadcast address. This is simply stopped (and by
default)
with "no ip directed-broadcast" on a LAN. Or you can filter on
an edge
router closer to the Internet link using an extended ACL.
Being that most Smurf attacks are also from spoofed addresses,
"ip
verify
unicast reverse-path" or "ip verify unicast source reachable via
any"
could
help. (<--RFC 2267) You could also rate-limit the information,
but this
isn't the best solution!
Fraggle is the same type of attack, except that it involves UDP
packets
instead of ICMP ones. Typically it's directed at common
unix-based echo
ports (7, 13, 17, 19). So the same methods will protect you.
For TCP SYN attacks, that usually involves a bunch of embryonic
(half-open)
connections going on. Short of your router(s) monitoring the
number of
initial TCP open requests that come in, there's not many good
ways to do
this! Firewalls (including CBAC) are certainly the best ways,
but not
on
the R&S exam!!!
You may have TCP Intercept on your exam covered by some of the
more
generic
security features listed on the Blueprint! Look in the same
security
command reference where the RPF information is at, and you'll
see "ip
tcp
intercept" for some information on that.
While you could rate-limit with an acl matching "tcp any any
syn".
Like
many things which thing you choose as your solution may depend
on
requirements of the lab!
Just my thoughts...
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
#4713,
JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com <http://www.ipexpert.com>
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
Chris Broadway
Sent: Tuesday, August 22, 2006 11:21 AM
To: Peter Plak
Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND
SCOTT
Group,
Can we get the "Brians" and/or Scott to give us their opinion on
the
definitive ACL to log smurf, fraggle, and TCP syn attacks? I
think
everyone
has an opinion but have not heard from the ones I consider to be
the
most
trusted sources.
-Broadway
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART