Re:Smurf attacks - monitor but do not deny

From: Angelo De Guzman (a.deguzman@wesolv.ph.fujitsu.com)
Date: Thu Oct 05 2006 - 22:55:00 ART

• Next message: Alex De Gruiter \(AU\): "RE: Smurf attacks - monitor but do not deny"
• Previous message: Alex De Gruiter \(AU\): "Smurf attacks - monitor but do not deny"
• Maybe in reply to: Alex De Gruiter \(AU\): "Smurf attacks - monitor but do not deny"
• Next in thread: Alex De Gruiter \(AU\): "RE: Smurf attacks - monitor but do not deny"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
   Your DoSMONITOR ACL has the same entry. After correcting that next you will
need to have the log-input keyword entry in your ACL to match that suspected
traffic. AFAIK for the SMURF attack I think it was discussed from this
groupstudy that you have an attack with you as the ultimate target and with
your network used as a reflector. You might want to change your ACL to cater to
both SMURF attacks.

Angelo

Alex De Gruiter (AU) (10/6/06 9:36 AM):
>
>Hi Guys,
>
>I have a question about monitoring attacks (in particular, Smurf). There
>has been some very good coverage of Smurf attacks in this forum in the
>past, however I have a question about monitoring rather than preventing
>smurf attacks altogether.
>
>Lets say you have a question asking to monitor the volume and source of
>suspected smurf attacks (or, for that matter, another type of attack
>identifiable through an ACL - such as fraggle), however you do not want
>to block any traffic.
>
>Would the following ACL provide the necessary logging data:
>
><config>
>
>ip access-list extended DoSMONITOR
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit ip any any
>
>int serial 0/1
> ip access-group DoSMONITOR in
>
>logging buffered informational
>
></config>
>
>I'm wondering how to respond if a question asks you to log but not deny
>a DoS attack. Anyone feel free to comment on anything in the above mail
>- always keen to learn.
>
>Alex
>
>******************************************************************************
> - NOTICE FROM DIMENSION DATA AUSTRALIA
>This message is confidential, and may contain proprietary or legally
privileged information. If you have received this email in error, please
notify the sender and delete it immediately.
>
>Internet communications are not secure. You should scan this message and any
attachments for viruses. Under no circumstances do we accept liability for any
loss or damage which may result from your receipt of this message or any
attachments.
>******************************************************************************
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>

***********************
No virus was detected in the attachment no filename

Your mail has been scanned by InterScan MSS.
***********-***********

• Next message: Alex De Gruiter \(AU\): "RE: Smurf attacks - monitor but do not deny"
• Previous message: Alex De Gruiter \(AU\): "Smurf attacks - monitor but do not deny"
• Maybe in reply to: Alex De Gruiter \(AU\): "Smurf attacks - monitor but do not deny"
• Next in thread: Alex De Gruiter \(AU\): "RE: Smurf attacks - monitor but do not deny"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART