From: Alex De Gruiter \(AU\) (Alex.deGruiter@didata.com.au)
Date: Thu Oct 05 2006 - 23:15:18 ART
Hi Angelo,
Thanks for that. Yes, you are right, I meant "echo-reply" on the 2nd
entry. My question should've really been "how to permit traffic and log,
so as to determine the volume and likely source of attacks". I'm
wondering if it would be sufficient to have the "log" entry, or if there
was something else.
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Angelo De Guzman
Sent: Friday, 6 October 2006 11:55 AM
To: ccielab@groupstudy.com
Subject: Re:Smurf attacks - monitor but do not deny
Hi,
Your DoSMONITOR ACL has the same entry. After correcting that next
you will need to have the log-input keyword entry in your ACL to match
that suspected traffic. AFAIK for the SMURF attack I think it was
discussed from this groupstudy that you have an attack with you as the
ultimate target and with your network used as a reflector. You might
want to change your ACL to cater to both SMURF attacks.
Angelo
Alex De Gruiter (AU) (10/6/06 9:36 AM):
>
>Hi Guys,
>
>I have a question about monitoring attacks (in particular, Smurf).
>There has been some very good coverage of Smurf attacks in this forum
>in the past, however I have a question about monitoring rather than
>preventing smurf attacks altogether.
>
>Lets say you have a question asking to monitor the volume and source of
>suspected smurf attacks (or, for that matter, another type of attack
>identifiable through an ACL - such as fraggle), however you do not want
>to block any traffic.
>
>Would the following ACL provide the necessary logging data:
>
><config>
>
>ip access-list extended DoSMONITOR
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit ip any any
>
>int serial 0/1
> ip access-group DoSMONITOR in
>
>logging buffered informational
>
></config>
>
>I'm wondering how to respond if a question asks you to log but not deny
>a DoS attack. Anyone feel free to comment on anything in the above mail
>- always keen to learn.
>
>Alex
>
>***********************************************************************
>*******
> - NOTICE FROM DIMENSION DATA AUSTRALIA This message is confidential,
>and may contain proprietary or legally
privileged information. If you have received this email in error,
please notify the sender and delete it immediately.
>
>Internet communications are not secure. You should scan this message
>and any
attachments for viruses. Under no circumstances do we accept liability
for any loss or damage which may result from your receipt of this
message or any attachments.
>***********************************************************************
>*******
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>
***********************
No virus was detected in the attachment no filename
Your mail has been scanned by InterScan MSS.
***********-***********
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART