From: Naveed Khan (naveed_k@hotmail.com)
Date: Fri Oct 06 2006 - 12:24:19 ART
Hello
The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets
in the same fashion as the ICMP echo packets;
So we shouldn't need to add in access-list ? permit udp any any eq echo log
Naveed
----- Original Message -----
From: "Victor Cappuccio" <cvictor@protokolgroup.com>
To: "'Alex De Gruiter (AU)'" <Alex.deGruiter@didata.com.au>; "'Angelo De
Guzman'" <a.deguzman@wesolv.ph.fujitsu.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 05, 2006 7:48 PM
Subject: RE: Smurf attacks - monitor but do not deny
> Hi Alex, as Angelo said, this topic has been discussed from time to time,
> but it's always good to refresh them back.
> IMO, you should read very carefully the English test of what Cisco calls
> CCIE Lab, if in those lines, tells you too also to match layer 2
information
> in your Logging Information you should use log-input.
> ) Else if is only for packet counting (show ip access-list) and if in the
> Task Wording, says that information should be stored in the logging then
log
> IMO would be sufficient. (You can change also the thresholds of Hits the
> Access-list could have)
>
> Also, you have to look if your network is /24, what if you have other
> networks with other prefix-length value inside your domain (/25, /32), say
> that you are applying this ACL to the As Border Router in your OSPF Domain
>
> So for to me is the following ACL:
>
> Ip access-list e ACL-ICMP-DOS-ATTACK
> 10 permit icmp any any echo log
> 20 permit icmp any any echo-reply log
> 30 permit ip any any
>
> Int e0/0
> Ip access-gr ICMP-LOGGER in
>
> Is obviosly that if I'm an Amplifier of the Smurf Attack then I would
expect
> to see line 20 with more hits that 10, but if I'm the Victim then I would
> see line 10 with more hits.
>
> There is also a Cisco documentation, which in better English explains this
> http://www.cisco.com/warp/public/707/22.html#topic8
>
> Saludos,
> Victor.-
>
>
>
>
>
>
> -----Mensaje original-----
> De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Alex
> De Gruiter (AU)
> Enviado el: Jueves, 05 de Octubre de 2006 10:15 p.m.
> Para: Angelo De Guzman; ccielab@groupstudy.com
> Asunto: RE: Smurf attacks - monitor but do not deny
>
> Hi Angelo,
>
> Thanks for that. Yes, you are right, I meant "echo-reply" on the 2nd
> entry. My question should've really been "how to permit traffic and log,
> so as to determine the volume and likely source of attacks". I'm
> wondering if it would be sufficient to have the "log" entry, or if there
> was something else.
>
> Alex
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Angelo De Guzman
> Sent: Friday, 6 October 2006 11:55 AM
> To: ccielab@groupstudy.com
> Subject: Re:Smurf attacks - monitor but do not deny
>
> Hi,
> Your DoSMONITOR ACL has the same entry. After correcting that next
> you will need to have the log-input keyword entry in your ACL to match
> that suspected traffic. AFAIK for the SMURF attack I think it was
> discussed from this groupstudy that you have an attack with you as the
> ultimate target and with your network used as a reflector. You might
> want to change your ACL to cater to both SMURF attacks.
>
> Angelo
>
>
> Alex De Gruiter (AU) (10/6/06 9:36 AM):
> >
> >Hi Guys,
> >
> >I have a question about monitoring attacks (in particular, Smurf).
> >There has been some very good coverage of Smurf attacks in this forum
> >in the past, however I have a question about monitoring rather than
> >preventing smurf attacks altogether.
> >
> >Lets say you have a question asking to monitor the volume and source of
>
> >suspected smurf attacks (or, for that matter, another type of attack
> >identifiable through an ACL - such as fraggle), however you do not want
>
> >to block any traffic.
> >
> >Would the following ACL provide the necessary logging data:
> >
> ><config>
> >
> >ip access-list extended DoSMONITOR
> > permit icmp any 192.168.0.255 0.0.255.0 echo log
> > permit icmp any 192.168.0.255 0.0.255.0 echo log
> > permit ip any any
> >
> >int serial 0/1
> > ip access-group DoSMONITOR in
> >
> >logging buffered informational
> >
> ></config>
> >
> >I'm wondering how to respond if a question asks you to log but not deny
>
> >a DoS attack. Anyone feel free to comment on anything in the above mail
> >- always keen to learn.
> >
> >Alex
> >
> >***********************************************************************
> >*******
> > - NOTICE FROM DIMENSION DATA AUSTRALIA This message is confidential,
> >and may contain proprietary or legally
> privileged information. If you have received this email in error,
> please notify the sender and delete it immediately.
> >
> >Internet communications are not secure. You should scan this message
> >and any
> attachments for viruses. Under no circumstances do we accept liability
> for any loss or damage which may result from your receipt of this
> message or any attachments.
> >***********************************************************************
> >*******
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >***********************
> >No virus was detected in the attachment no filename
> >
> >Your mail has been scanned by InterScan MSS.
> >***********-***********
> >
>
>
>
> ***********************
> No virus was detected in the attachment no filename
>
> Your mail has been scanned by InterScan MSS.
> ***********-***********
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART