From: Alex De Gruiter \(AU\) (Alex.deGruiter@didata.com.au)
Date: Thu Oct 05 2006 - 22:36:50 ART
Hi Guys,
I have a question about monitoring attacks (in particular, Smurf). There
has been some very good coverage of Smurf attacks in this forum in the
past, however I have a question about monitoring rather than preventing
smurf attacks altogether.
Lets say you have a question asking to monitor the volume and source of
suspected smurf attacks (or, for that matter, another type of attack
identifiable through an ACL - such as fraggle), however you do not want
to block any traffic.
Would the following ACL provide the necessary logging data:
<config>
ip access-list extended DoSMONITOR
permit icmp any 192.168.0.255 0.0.255.0 echo log
permit icmp any 192.168.0.255 0.0.255.0 echo log
permit ip any any
int serial 0/1
ip access-group DoSMONITOR in
logging buffered informational
</config>
I'm wondering how to respond if a question asks you to log but not deny
a DoS attack. Anyone feel free to comment on anything in the above mail
- always keen to learn.
Alex
******************************************************************************
- NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately.
Internet communications are not secure. You should scan this message and any attachments for viruses. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments.
******************************************************************************
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART