From: Aamir Aziz (aamiraz77@gmail.com)
Date: Sat Aug 26 2006 - 07:00:36 ART
Hi there,
I think this is exactly what i was looking for, this ACL makes much more
sense, although like Mr. Morris said line 70 may not be required but I am
thinking what if ICMP flooding (echo) from a spoofed source is being done
for a specific host instead of network/broadcast then only line 70 would log
that attack, right?
Thanks
Aamir
On 8/25/06, David Redfern (AU) <David.Redfern@didata.com.au> wrote:
>
> Glad to share my thoughts! As crazy and wrong as they may be.
>
>
> Making sure logging is turned on, my acl for this SPECIFIC question
> applied inbound would be something like this.
>
>
> Rack1R1#sh access-lists
> Extended IP access list ICMPFLOOD_AND_SMURF
> 10 permit icmp any 0.0.0.0 255.255.255.0 echo log-input
> 20 permit icmp any 0.0.0.255 255.255.255.0 echo log-input
> 30 permit icmp any any echo-reply log-input
> 40 permit udp any 0.0.0.0 255.255.255.0 eq echo log-input
> 50 permit udp any 0.0.0.255 255.255.255.0 eq echo log-input
> 60 permit udp any eq echo any log-input
> 70 permit icmp any any log-input
> 80 permit ip any any
>
>
>
> My thoughts are the following or each sequence number.
>
> - 10 and 20 log smurf attacks to my network and subnet broadast
> addresses using me as the reflector. Whilst I could have been more
> specific with my acl subnet being 1.1.X.0 I don't thinks its necessary.
>
> - 30 logs smurf attacks with my network as the end target (echo-replies)
> that have come from a reflector network (anywhere) which have ANY
> address in my network as the spoofed source. I don't know where they are
> coming from and I don't know which host they are destined for so I must
> use any. I see a lot of people include an echo-reply line destined for
> the subnet and broadcast addresses which I don't understand as I don't
> believe a smurf spoofed source will be this address, rather any address
> inside my network. My any any echo-reply will catch all of these anyway.
> I could include it but would it really assist!
>
> -40 and 50. As this is for a nagle attack using me as the reflector and
> not really a smurf I'm not sure its necessary, however will include it
> just incase CISCO or the proctor classify a nagle as a smurf also. I see
> almost everyone else includes this so didn't want to leave it out. I'd
> ask the proctor whether he wants nagle attacks on this one also though.
>
> -60 This is a nagle attack with me as the end target. Udp echo as the
> source to any destination in my network.
>
> -70 This will catch icmp floods to my network.
>
> -80 Permit all else
>
>
>
> I encourage criticism of this and alternate answers
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Scott Morris [mailto:swm@emanon.com]
> Sent: Friday, 25 August 2006 2:09 AM
> To: David Redfern (AU); ccielab@groupstudy.com
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> And so.... In the great spirit of learning, should you not come up with
> a proposed solution as well? That way we can all benefit from the
> thinking through of things!!!
>
> While I do appreciate being singled out for opinions, and I'm sure Brian
> Dennis and Brian McGahan do as well, bear in mind that the answers to
> any given question don't necessarily count as the only ones, not should
> they be looked at as something to memorize and treat as THE right
> answer.
>
> When learning any topic, the discussion and the thinking through things
> is often where the best learning comes from.
>
> So what things do you have there... You aren't trying to kill the
> traffic according to your scenario, you're simply trying to log it. So
> what are the pieces (there will only be permits I'm guessing) involved?
> And is logging already setup? :)
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> David Redfern (AU)
> Sent: Thursday, August 24, 2006 5:40 AM
> To: ccielab@groupstudy.com
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Guys,
>
> As i think we can all agree that the answer may vary depending on the
> question and requirements, i suggest we pose a few different
> hyptothetical sample questions to each other, so that we can see how
> certain KEYWORDS and requirementes affect the answer.
>
> Here's one.
>
> Internal network address range is 1.1.X.0/24 Router 1 has an E0/0 link
> to the backbone (BB1)
>
> Question
> Your network has become extremely slow and you suspect a DOS attack
> coming from BB1.
> Create an acl which will log icmp flood/smurf attacks to your logging
> buffer.
> Create this acl on R1 in a manner which will assist you to distinguish
> between these attacks wherever possible.
>
>
>
>
>
>
>
>
> ________________________________
>
> From: Scott Morris [mailto:swm@emanon.com]
> Sent: Thursday, 24 August 2006 6:09 AM
> To: 'Aamir Aziz'; 'David Mitchell'
> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; David
> Redfern (AU); ccielab@groupstudy.com
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
> I'll stick with the answer of "it depends" :)
>
> in your first one, you are assuming that all links are /24. Which may
> be true, but you'll have to look at your topology to assess that!
> in the second one, it certainly blocks it all, which again may or may
> not be what you want to accomplish.
>
> There is NO SINGLE answer!
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> ________________________________
>
> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
> Sent: Wednesday, August 23, 2006 3:11 PM
> To: David Mitchell
> Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
> David Redfern (AU); ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
> Hi all
>
> Many thanks for the all the replies. Ok so if i build the following ACL
> (lets say on edge router) to protect myself from being the REFLECTOR and
> the VICTIM for SMURF/Fraggle attack would this work:
>
> deny icmp any 0.0.0.255 <http://0.0.0.255/> 255.255.255.0
> <http://255.255.255.0/> echo deny icmp any 0.0.0.0 <http://0.0.0.0/>
> 255.255.255.0 <http://255.255.255.0/> echo deny icmp any 0.0.0.255
> <http://0.0.0.255/> 255.255.255.0 <http://255.255.255.0/> echo-reply
> deny icmp any 0.0.0.0 <http://0.0.0.0/> 255.255.255.0
> <http://255.255.255.0/> echo-reply deny udp any any eq echo deny udp any
> eq echo any permit ip any any
>
> or this one (from
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149
> ad6.shtml#topic3)
>
> deny icmp any any echo
> deny icmp any any echo-reply
> deny udp any any eq echo
> deny udp any eq echo any
> permit ip any any
>
> Which of them would work? If both then which is appropriate for CCIE
> lab, if neither then what is missing here.
>
> Many thanks
> Aamir
>
>
>
> On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
>
> If my understanding of Smurf attacks is correct, your strategy
> would
> succeed in stopping you from being the REFLECTOR, but not the
> VICTIM.
>
> If you are the VICTIM of a Smurf attack, the packets you will be
> seeing
> will be unicast icmp echo-reply packets sourced from the
> REFLECTOR to
> your address. This would be because the attacker spoofed your
> address
> range and sent the icmp echo-requests to the reflector's
> broadcast
> address, resulting in the reflector responding with the
> echo-reply's to
> your addresses.
>
> If my understanding is correct, you would need to filter out
> icmp
> echo-reply packets on the edge to stop this.
>
> Hopefully I understand this properly. So far I'm a two-time
> Security
> lab failure!!
>
> - Dave
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Scott Morris
> Sent: Wednesday, August 23, 2006 12:17 PM
> To: 'Aamir Aziz'
> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty';
> 'David
> Redfern (AU)'; ccielab@groupstudy.com
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND
> SCOTT
>
> If you are looking to stop an attack TO a router, I'd use:
>
> no ip directed-broadcast (on each interface)
> no service udp-small-servers (which will shut down those udp
> ports)
>
> I believe both may be defaults now (Cisco is occasionally nice).
>
> If you have to filter on an edge, which makes more sense, I
> believe both
> Brian and I have offered multiple methods of accomplishing this.
> One is
> not
> necessarily better than another. Below, I lay out the port
> numbers for
> you,
> so build an ACL matching each of those in udp as well as ICMP
> echo
> coming
> in.
>
> Building the ACL shouldn't be a difficult exercise as you know
> the
> information below. In the middle of your exam (IMHO) you won't
> be
> required
> to memorize the multiple ports that a Fraggle attack may go
> after unless
> it
> is mentioned someplace on the DocCD. So build away! Come up
> with one
> and
> let's see what you got!
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
> #4713,
> JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> _____
>
> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
> Sent: Wednesday, August 23, 2006 10:09 AM
> To: swm@emanon.com
> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David
> Redfern
> (AU);
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND
> SCOTT
>
>
> Dear Mr.Brian & Mr.Scott,
>
> Thank you for the valuable input, i think it was really helpfull
> but
> lets
> say in the exam if they clearly mention that it is a
> SMURF/Fraggle
> attack
> and we need to stop it using ACL then in your expert opinion
> what ACL
> should
> we use on the router?
>
> Thanks
> Aamir
>
>
> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>
> Well, look at the two attacks and what they are first.
>
> Smurf is an ICMP-based attack. Typically the echo-request
> packets are
> sent
> TO the subnet-broadcast address. This is simply stopped (and by
> default)
> with "no ip directed-broadcast" on a LAN. Or you can filter on
> an edge
> router closer to the Internet link using an extended ACL.
>
> Being that most Smurf attacks are also from spoofed addresses,
> "ip
> verify
> unicast reverse-path" or "ip verify unicast source reachable via
> any"
> could
> help. (<--RFC 2267) You could also rate-limit the information,
> but this
> isn't the best solution!
>
> Fraggle is the same type of attack, except that it involves UDP
> packets
> instead of ICMP ones. Typically it's directed at common
> unix-based echo
> ports (7, 13, 17, 19). So the same methods will protect you.
>
> For TCP SYN attacks, that usually involves a bunch of embryonic
> (half-open)
> connections going on. Short of your router(s) monitoring the
> number of
> initial TCP open requests that come in, there's not many good
> ways to do
>
> this! Firewalls (including CBAC) are certainly the best ways,
> but not
> on
> the R&S exam!!!
>
> You may have TCP Intercept on your exam covered by some of the
> more
> generic
> security features listed on the Blueprint! Look in the same
> security
> command reference where the RPF information is at, and you'll
> see "ip
> tcp
> intercept" for some information on that.
>
> While you could rate-limit with an acl matching "tcp any any
> syn".
> Like
>
> many things which thing you choose as your solution may depend
> on
> requirements of the lab!
>
> Just my thoughts...
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
> #4713,
> JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com <http://www.ipexpert.com>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Chris Broadway
> Sent: Tuesday, August 22, 2006 11:21 AM
> To: Peter Plak
> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND
> SCOTT
>
> Group,
>
> Can we get the "Brians" and/or Scott to give us their opinion on
> the
> definitive ACL to log smurf, fraggle, and TCP syn attacks? I
> think
> everyone
> has an opinion but have not heard from the ones I consider to be
> the
> most
> trusted sources.
>
> -Broadway
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> <http://www.groupstudy.com/list/CCIELab.html >
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> ************************************************************************
> ****
> *
> *
> - NOTICE FROM DIMENSION DATA AUSTRALIA
> This message is confidential, and may contain proprietary or legally
> privileged information. If you have received this email in error,
> please notify the sender and delete it immediately.
>
> Internet communications are not secure. You should scan this message and
> any attachments for viruses. Under no circumstances do we accept
> liability for any loss or damage which may result from your receipt of
> this message or any attachments.
> ************************************************************************
> ****
> *
> *
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART