From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Mon Sep 04 2006 - 22:56:06 ART
Hi Chris, what if your networks is not /24??
Per http://www.cisco.com/warp/public/707/22.html
The fraggle attack is analogous to the smurf attack, except that UDP echo
requests are used for the stimulus stream instead of ICMP echo requests. The
third and fourth lines of the access list identify fraggle attacks. The
appropriate response for the victims is the same, except that UDP echo is a
less important service in most networks than is ICMP echo. Therefore, you
can disable them completely with fewer negative consequences.
access-list 169 permit icmp any any echo
access-list 169 permit icmp any any echo-reply
access-list 169 permit udp any any eq echo
access-list 169 permit udp any eq echo any
access-list 169 permit tcp any any established
access-list 169 permit tcp any any
access-list 169 permit ip any any
interface serial 0
ip access-group 169 in
if you can find a better resource, please share!
Thanks
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Chris
Broadway
Enviado el: Lunes, 04 de Septiembre de 2006 09:37 p.m.
Para: Cisco certification
Asunto: Fraggle/Smurf
I know this has been discussed a million times, but I still haven't got it.
I understand this line:
permit icmp any 0.0.0.255 255.255.255.0 eq echo log-input
permit icmp any 0.0.0.0 255.255.255.0 eq echo log-input
this will log all ICMP traffic going to network and broadcast addresses
this part I don't understand
permit icmp any 0.0.0.255 255.255.255.0 eq echo-reply log-input
permit icmp any 0.0.0.0 255.255.255.0 eq echo-reply log-input
why would this router log echo-reply traffic going to network and broadcast
addresses when the echo-reply should be the spoofed IP that the perpetrator
sent.
The same explaination will apply to UDP. Anyone?
-Broadway
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART