RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Ubaid Iftikhar \(AU\) (Magmax@bigpond.net.au)
Date: Fri Oct 27 2006 - 22:10:50 ART

Guys,

I think I have the right ACL for SMURF Attacks

no service udp-small-servers

Extended IP access list SMURF
    10 deny icmp any 0.0.0.255 255.255.255.0 echo log-input
    20 deny icmp any 0.0.0.0 255.255.255.0 echo log-input
    30 deny icmp any 0.0.0.255 255.255.255.0 echo-reply log-input
    40 deny icmp any 0.0.0.0 255.255.255.0 echo-reply log-input
    50 deny udp any any eq echo log-input
    60 deny udp any eq echo any log-input
    70 permit ip any any

My Justification for ACL Entries

1. Smurf and Fraggle are both directed at broadcast address. I am assuming
my network is Class C
2.10 & 20 show if I am used as reflector
3.30 & 40 show if I am victim
4.50 and 60 are for Fraggle (same attack as Smurf but uses udp echo)
5.Last line will permit all other traffic

Note.

Also you can use

No ip directed-broadcast
ip verify unicast reverse-path

Anyone like to correct me

Reference:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
shtml

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Aamir Aziz
Sent: Thursday, 24 August 2006 7:59 PM
To: David Mitchell
Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David
Redfern (AU); ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

ok i think i am on the right track, thanks a lot guys, ok one last question,
in case of UDP if i need to be more specific (my network in /24) then would
this be the correct ACL for udp:

deny udp any 0.0.0.255 255.255.255.0 echo
deny udp any 0.0.0.0 255.255.255.0 echo

There is no source echo here, do i need to put that when i am being more
specific.

Thanks
Aamir

  **

On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
>
> In my opinion, both of them would work. Obviously the first one is more
> specific. You could just deny icmp period and it would work. It is all
in
> the wording of the question as to exactly which you should implement.
> ------------------------------
>
> *From:* Aamir Aziz [mailto:aamiraz77@gmail.com]
> *Sent:* Wednesday, August 23, 2006 3:11 PM
> *To:* David Mitchell
> *Cc:* Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
> David Redfern (AU); ccielab@groupstudy.com
>
> *Subject:* Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
>
> Hi all
>
>
>
> Many thanks for the all the replies. Ok so if i build the following ACL
> (lets say on edge router) to protect myself from being the REFLECTOR and
the
> VICTIM for SMURF/Fraggle attack would this work:
>
>
>
> deny icmp any 0.0.0.255 255.255.255.0 echo
>
> deny icmp any 0.0.0.0 255.255.255.0 echo
>
> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
>
> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
>
> deny udp any any eq echo
> deny udp any eq echo any
> permit ip any any
>
>
>
> or this one (from
>
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
shtml#topic3
> )
>
>
>
> deny icmp any any echo
> deny icmp any any echo-reply
> deny udp any any eq echo
> deny udp any eq echo any
>
> permit ip any any
>
>
>
> Which of them would work? If both then which is appropriate for CCIE lab,
> if neither then what is missing here.
>
>
>
> Many thanks
>
> Aamir
>
>
>
>
>
> On 8/23/06, *David Mitchell* <david.mitchell@centientnetworks.com> wrote:
>
> If my understanding of Smurf attacks is correct, your strategy would
> succeed in stopping you from being the REFLECTOR, but not the VICTIM.
>
> If you are the VICTIM of a Smurf attack, the packets you will be seeing
> will be unicast icmp echo-reply packets sourced from the REFLECTOR to
> your address. This would be because the attacker spoofed your address
> range and sent the icmp echo-requests to the reflector's broadcast
> address, resulting in the reflector responding with the echo-reply's to
> your addresses.
>
> If my understanding is correct, you would need to filter out icmp
> echo-reply packets on the edge to stop this.
>
> Hopefully I understand this properly. So far I'm a two-time Security
> lab failure!!
>
> - Dave
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Scott Morris
> Sent: Wednesday, August 23, 2006 12:17 PM
> To: 'Aamir Aziz'
> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
> Redfern (AU)'; ccielab@groupstudy.com
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> If you are looking to stop an attack TO a router, I'd use:
>
> no ip directed-broadcast (on each interface)
> no service udp-small-servers (which will shut down those udp ports)
>
> I believe both may be defaults now (Cisco is occasionally nice).
>
> If you have to filter on an edge, which makes more sense, I believe both
> Brian and I have offered multiple methods of accomplishing this. One is
> not
> necessarily better than another. Below, I lay out the port numbers for
> you,
> so build an ACL matching each of those in udp as well as ICMP echo
> coming
> in.
>
> Building the ACL shouldn't be a difficult exercise as you know the
> information below. In the middle of your exam (IMHO) you won't be
> required
> to memorize the multiple ports that a Fraggle attack may go after unless
> it
> is mentioned someplace on the DocCD. So build away! Come up with one
> and
> let's see what you got!
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com
>
>
> _____
>
> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
> Sent: Wednesday, August 23, 2006 10:09 AM
> To: swm@emanon.com
> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
> (AU);
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
> Dear Mr.Brian & Mr.Scott,
>
> Thank you for the valuable input, i think it was really helpfull but
> lets
> say in the exam if they clearly mention that it is a SMURF/Fraggle
> attack
> and we need to stop it using ACL then in your expert opinion what ACL
> should
> we use on the router?
>
> Thanks
> Aamir
>
>
> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>
> Well, look at the two attacks and what they are first.
>
> Smurf is an ICMP-based attack. Typically the echo-request packets are
> sent
> TO the subnet-broadcast address. This is simply stopped (and by
> default)
> with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
> router closer to the Internet link using an extended ACL.
>
> Being that most Smurf attacks are also from spoofed addresses, "ip
> verify
> unicast reverse-path" or "ip verify unicast source reachable via any"
> could
> help. (<--RFC 2267) You could also rate-limit the information, but this
> isn't the best solution!
>
> Fraggle is the same type of attack, except that it involves UDP packets
> instead of ICMP ones. Typically it's directed at common unix-based echo
> ports (7, 13, 17, 19). So the same methods will protect you.
>
> For TCP SYN attacks, that usually involves a bunch of embryonic
> (half-open)
> connections going on. Short of your router(s) monitoring the number of
> initial TCP open requests that come in, there's not many good ways to do
>
> this! Firewalls (including CBAC) are certainly the best ways, but not
> on
> the R&S exam!!!
>
> You may have TCP Intercept on your exam covered by some of the more
> generic
> security features listed on the Blueprint! Look in the same security
> command reference where the RPF information is at, and you'll see "ip
> tcp
> intercept" for some information on that.
>
> While you could rate-limit with an acl matching "tcp any any syn". Like
>
> many things which thing you choose as your solution may depend on
> requirements of the lab!
>
> Just my thoughts...
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE
> #153, CISSP, et al.
> CCSI/JNCI-M/JNCI-J
> IPExpert VP - Curriculum Development
> IPExpert Sr. Technical Instructor
> smorris@ipexpert.com
> http://www.ipexpert.com <http://www.ipexpert.com>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chris Broadway
> Sent: Tuesday, August 22, 2006 11:21 AM
> To: Peter Plak
> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
> ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Group,
>
> Can we get the "Brians" and/or Scott to give us their opinion on the
> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
> everyone
> has an opinion but have not heard from the ones I consider to be the
> most
> trusted sources.
>
> -Broadway
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> <http://www.groupstudy.com/list/CCIELab.html >
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:06 ART