RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Fri Aug 25 2006 - 11:07:07 ART

• Next message: "CCIE: "Re: Looking for CCIE - Delhi/Mumbai"
• Previous message: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe in reply to: Brian McGahan: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hehee you are going to kill me, but this access-list was more complicated
that I thought here is the complete list (I think ;)

access-list 169 permit icmp any host 6.6.6.255 echo log-input
access-list 169 permit icmp any host 6.6.6.0 echo log-input
access-list 169 permit udp any host 6.6.6.0 eq echo log-input
access-list 169 permit udp any host 6.6.6.255 eq echo log-input
access-list 169 permit udp any host 6.6.6.0 eq 13 log-input
access-list 169 permit udp any host 6.6.6.255 eq 13 log-input
access-list 169 permit udp any host 6.6.6.0 eq 17 log-input
access-list 169 permit udp any host 6.6.6.255 eq 17 log-input
access-list 169 permit udp any host 6.6.6.0 eq 19 log-input
access-list 169 permit udp any host 6.6.6.255 eq 19 log-input
access-list 169 permit ip any any

-----Mensaje original-----
De: Victor Cappuccio [mailto:cvictor@protokolgroup.com]
Enviado el: Viernes, 25 de Agosto de 2006 10:04 a.m.
Para: 'Victor Cappuccio'; 'Scott Morris'; 'Aamir Aziz'
CC: 'Chris Broadway'; 'Peter Plak'; 'Dusty'; 'David Redfern (AU)';
ccielab@groupstudy.com
Asunto: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

Hmmm Sorry I think I'm missing some line in the ACL

access-list 169 permit icmp any host 6.6.6.255 echo log-input
access-list 169 permit icmp any host 6.6.6.0 echo log-input
access-list 169 permit udp any host 6.6.6.0 eq echo log-input
access-list 169 permit udp any host 6.6.6.255 eq echo log-input
access-list 169 permit udp any host 6.6.6.0 eq 19
access-list 169 permit udp any host 6.6.6.255 eq 19
access-list 169 permit udp any host 6.6.6.0 eq 17
access-list 169 permit udp any host 6.6.6.255 eq 17
access-list 169 permit ip any any

-----Mensaje original-----
De: Victor Cappuccio [mailto:cvictor@protokolgroup.com]
Enviado el: Viernes, 25 de Agosto de 2006 09:48 a.m.
Para: 'Scott Morris'; 'Aamir Aziz'
CC: 'Chris Broadway'; 'Peter Plak'; 'Dusty'; 'David Redfern (AU)';
'ccielab@groupstudy.com'
Asunto: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

If I suspect that my network (/24 BTW) is an Amplifier of a Stimulus ICMP
Smurf Attack or a Fraggle I would do this on the edge router:

no service udp-small-servers

access-list 169 permit icmp any host 6.6.6.255 echo log-input
access-list 169 permit icmp any host 6.6.6.0 echo log-input
access-list 169 permit udp any host 6.6.6.0 eq echo log-input
access-list 169 permit udp any host 6.6.6.255 eq echo log-input
access-list 169 permit ip any any

int s0/0 !To the World
no ip directed-broadcast
ip access-gr 169 in !This make the use of 169 as a packet counter to se if
we are receiving ICMP to the Network Address or to a Broadcast Address

int f0/0 !To my Internal Network
ip add 6.6.6.6 255.255.255.0
no ip directed-broadcast !!! This would cause that BCast is not routed over

http://www.networkdictionary.com/security/SmurfAttack.php

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Scott
Morris
Enviado el: Miircoles, 23 de Agosto de 2006 12:17 p.m.
Para: 'Aamir Aziz'
CC: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
Redfern (AU)'; ccielab@groupstudy.com
Asunto: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

If you are looking to stop an attack TO a router, I'd use:
 
no ip directed-broadcast (on each interface)
no service udp-small-servers (which will shut down those udp ports)
 
I believe both may be defaults now (Cisco is occasionally nice).
 
If you have to filter on an edge, which makes more sense, I believe both
Brian and I have offered multiple methods of accomplishing this. One is not
necessarily better than another. Below, I lay out the port numbers for you,
so build an ACL matching each of those in udp as well as ICMP echo coming
in.
 
Building the ACL shouldn't be a difficult exercise as you know the
information below. In the middle of your exam (IMHO) you won't be required
to memorize the multiple ports that a Fraggle attack may go after unless it
is mentioned someplace on the DocCD. So build away! Come up with one and
let's see what you got!
 
 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
 

  _____

From: Aamir Aziz [mailto:aamiraz77@gmail.com]
Sent: Wednesday, August 23, 2006 10:09 AM
To: swm@emanon.com
Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern (AU);
ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

Dear Mr.Brian & Mr.Scott,
 
Thank you for the valuable input, i think it was really helpfull but lets
say in the exam if they clearly mention that it is a SMURF/Fraggle attack
and we need to stop it using ACL then in your expert opinion what ACL should
we use on the router?
 
Thanks
Aamir

 
On 8/22/06, Scott Morris <swm@emanon.com> wrote:

Well, look at the two attacks and what they are first.

Smurf is an ICMP-based attack. Typically the echo-request packets are sent
TO the subnet-broadcast address. This is simply stopped (and by default)
with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
router closer to the Internet link using an extended ACL.

Being that most Smurf attacks are also from spoofed addresses, "ip verify
unicast reverse-path" or "ip verify unicast source reachable via any" could
help. (<--RFC 2267) You could also rate-limit the information, but this
isn't the best solution!

Fraggle is the same type of attack, except that it involves UDP packets
instead of ICMP ones. Typically it's directed at common unix-based echo
ports (7, 13, 17, 19). So the same methods will protect you.

For TCP SYN attacks, that usually involves a bunch of embryonic (half-open)
connections going on. Short of your router(s) monitoring the number of
initial TCP open requests that come in, there's not many good ways to do
this! Firewalls (including CBAC) are certainly the best ways, but not on
the R&S exam!!!

You may have TCP Intercept on your exam covered by some of the more generic
security features listed on the Blueprint! Look in the same security
command reference where the RPF information is at, and you'll see "ip tcp
intercept" for some information on that.

While you could rate-limit with an acl matching "tcp any any syn". Like
many things which thing you choose as your solution may depend on
requirements of the lab!

Just my thoughts...

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com <http://www.ipexpert.com>

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chris Broadway
Sent: Tuesday, August 22, 2006 11:21 AM
To: Peter Plak
Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

Group,

Can we get the "Brians" and/or Scott to give us their opinion on the
definitive ACL to log smurf, fraggle, and TCP syn attacks? I think everyone
has an opinion but have not heard from the ones I consider to be the most
trusted sources.

-Broadway

• Next message: "CCIE: "Re: Looking for CCIE - Delhi/Mumbai"
• Previous message: Victor Cappuccio: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe in reply to: Brian McGahan: "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART