From: Angelo De Guzman (a.deguzman@wesolv.ph.fujitsu.com)
Date: Thu Oct 05 2006 - 23:28:00 ART
Hi Alex,
As far as I know the log keyword is usefull to check whether there are hits
on your ACL. The log-input keyword causes the router to log information about
packets that match the list enrty. Say we assume that the logging buffered is
configured then you see the results using the the show log command.
Just my two cents,
Angelo
Alex De Gruiter (AU) (10/6/06 10:15 AM):
>
>Hi Angelo,
>
>Thanks for that. Yes, you are right, I meant "echo-reply" on the 2nd
>entry. My question should've really been "how to permit traffic and log,
>so as to determine the volume and likely source of attacks". I'm
>wondering if it would be sufficient to have the "log" entry, or if there
>was something else.
>
>Alex
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Angelo De Guzman
>Sent: Friday, 6 October 2006 11:55 AM
>To: ccielab@groupstudy.com
>Subject: Re:Smurf attacks - monitor but do not deny
>
>Hi,
> Your DoSMONITOR ACL has the same entry. After correcting that next
>you will need to have the log-input keyword entry in your ACL to match
>that suspected traffic. AFAIK for the SMURF attack I think it was
>discussed from this groupstudy that you have an attack with you as the
>ultimate target and with your network used as a reflector. You might
>want to change your ACL to cater to both SMURF attacks.
>
>Angelo
>
>
>Alex De Gruiter (AU) (10/6/06 9:36 AM):
>>
>>Hi Guys,
>>
>>I have a question about monitoring attacks (in particular, Smurf).
>>There has been some very good coverage of Smurf attacks in this forum
>>in the past, however I have a question about monitoring rather than
>>preventing smurf attacks altogether.
>>
>>Lets say you have a question asking to monitor the volume and source of
>
>>suspected smurf attacks (or, for that matter, another type of attack
>>identifiable through an ACL - such as fraggle), however you do not want
>
>>to block any traffic.
>>
>>Would the following ACL provide the necessary logging data:
>>
>><config>
>>
>>ip access-list extended DoSMONITOR
>> permit icmp any 192.168.0.255 0.0.255.0 echo log
>> permit icmp any 192.168.0.255 0.0.255.0 echo log
>> permit ip any any
>>
>>int serial 0/1
>> ip access-group DoSMONITOR in
>>
>>logging buffered informational
>>
>></config>
>>
>>I'm wondering how to respond if a question asks you to log but not deny
>
>>a DoS attack. Anyone feel free to comment on anything in the above mail
>>- always keen to learn.
>>
>>Alex
>>
>>***********************************************************************
>>*******
>> - NOTICE FROM DIMENSION DATA AUSTRALIA This message is confidential,
>>and may contain proprietary or legally
>privileged information. If you have received this email in error,
>please notify the sender and delete it immediately.
>>
>>Internet communications are not secure. You should scan this message
>>and any
>attachments for viruses. Under no circumstances do we accept liability
>for any loss or damage which may result from your receipt of this
>message or any attachments.
>>***********************************************************************
>>*******
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>***********************
>>No virus was detected in the attachment no filename
>>
>>Your mail has been scanned by InterScan MSS.
>>***********-***********
>>
>
>
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>
***********************
No virus was detected in the attachment no filename
Your mail has been scanned by InterScan MSS.
***********-***********
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART