From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Thu Oct 05 2006 - 23:48:29 ART
Hi Alex, as Angelo said, this topic has been discussed from time to time,
but it's always good to refresh them back.
IMO, you should read very carefully the English test of what Cisco calls
CCIE Lab, if in those lines, tells you too also to match layer 2 information
in your Logging Information you should use log-input.
) Else if is only for packet counting (show ip access-list) and if in the
Task Wording, says that information should be stored in the logging then log
IMO would be sufficient. (You can change also the thresholds of Hits the
Access-list could have)
Also, you have to look if your network is /24, what if you have other
networks with other prefix-length value inside your domain (/25, /32), say
that you are applying this ACL to the As Border Router in your OSPF Domain
So for to me is the following ACL:
Ip access-list e ACL-ICMP-DOS-ATTACK
10 permit icmp any any echo log
20 permit icmp any any echo-reply log
30 permit ip any any
Int e0/0
Ip access-gr ICMP-LOGGER in
Is obviosly that if I'm an Amplifier of the Smurf Attack then I would expect
to see line 20 with more hits that 10, but if I'm the Victim then I would
see line 10 with more hits.
There is also a Cisco documentation, which in better English explains this
http://www.cisco.com/warp/public/707/22.html#topic8
Saludos,
Victor.-
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Alex
De Gruiter (AU)
Enviado el: Jueves, 05 de Octubre de 2006 10:15 p.m.
Para: Angelo De Guzman; ccielab@groupstudy.com
Asunto: RE: Smurf attacks - monitor but do not deny
Hi Angelo,
Thanks for that. Yes, you are right, I meant "echo-reply" on the 2nd
entry. My question should've really been "how to permit traffic and log,
so as to determine the volume and likely source of attacks". I'm
wondering if it would be sufficient to have the "log" entry, or if there
was something else.
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Angelo De Guzman
Sent: Friday, 6 October 2006 11:55 AM
To: ccielab@groupstudy.com
Subject: Re:Smurf attacks - monitor but do not deny
Hi,
Your DoSMONITOR ACL has the same entry. After correcting that next
you will need to have the log-input keyword entry in your ACL to match
that suspected traffic. AFAIK for the SMURF attack I think it was
discussed from this groupstudy that you have an attack with you as the
ultimate target and with your network used as a reflector. You might
want to change your ACL to cater to both SMURF attacks.
Angelo
Alex De Gruiter (AU) (10/6/06 9:36 AM):
>
>Hi Guys,
>
>I have a question about monitoring attacks (in particular, Smurf).
>There has been some very good coverage of Smurf attacks in this forum
>in the past, however I have a question about monitoring rather than
>preventing smurf attacks altogether.
>
>Lets say you have a question asking to monitor the volume and source of
>suspected smurf attacks (or, for that matter, another type of attack
>identifiable through an ACL - such as fraggle), however you do not want
>to block any traffic.
>
>Would the following ACL provide the necessary logging data:
>
><config>
>
>ip access-list extended DoSMONITOR
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit icmp any 192.168.0.255 0.0.255.0 echo log
> permit ip any any
>
>int serial 0/1
> ip access-group DoSMONITOR in
>
>logging buffered informational
>
></config>
>
>I'm wondering how to respond if a question asks you to log but not deny
>a DoS attack. Anyone feel free to comment on anything in the above mail
>- always keen to learn.
>
>Alex
>
>***********************************************************************
>*******
> - NOTICE FROM DIMENSION DATA AUSTRALIA This message is confidential,
>and may contain proprietary or legally
privileged information. If you have received this email in error,
please notify the sender and delete it immediately.
>
>Internet communications are not secure. You should scan this message
>and any
attachments for viruses. Under no circumstances do we accept liability
for any loss or damage which may result from your receipt of this
message or any attachments.
>***********************************************************************
>*******
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>***********************
>No virus was detected in the attachment no filename
>
>Your mail has been scanned by InterScan MSS.
>***********-***********
>
***********************
No virus was detected in the attachment no filename
Your mail has been scanned by InterScan MSS.
***********-***********
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART