Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sat Oct 28 2006 - 07:42:32 ART

• Next message: Ubaid Iftikhar \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Previous message: Radoslav Vasilev: "Re: ping and services"
• Next in thread: Edouard Zorrilla: "Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Edouard Zorrilla: "Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sir,

If I am a victim, I don't know where they are coming from and I don't know
which host they are destined for so I must use any. Why include an
echo-reply line destined for the subnet and broadcast addresses ? I do not
think so a smurf spoofed source will be this address, rather than any
address inside my network.
I would say:
30 & 40 = deny icmp any any echo-reply
will be the right one.

Just to say something.
Regards + Thanks

----- Original Message -----
From: "Ubaid Iftikhar (AU)" <Magmax@bigpond.net.au>
To: "'Aamir Aziz'" <aamiraz77@gmail.com>; "'David Mitchell'"
<david.mitchell@centientnetworks.com>
Cc: "'Scott Morris'" <swm@emanon.com>; "'Chris Broadway'"
<midatlanticnet@gmail.com>; "'Peter Plak'" <plukkie@gmail.com>; "'Victor
Cappuccio'" <cvictor@protokolgroup.com>; "'Dusty'" <dustygoody@gmail.com>;
"'David Redfern (AU)'" <David.Redfern@didata.com.au>;
<ccielab@groupstudy.com>
Sent: Friday, October 27, 2006 8:10 PM
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

> Guys,
>
> I think I have the right ACL for SMURF Attacks
>
> no service udp-small-servers
>
>
> Extended IP access list SMURF
> 10 deny icmp any 0.0.0.255 255.255.255.0 echo log-input
> 20 deny icmp any 0.0.0.0 255.255.255.0 echo log-input
> 30 deny icmp any 0.0.0.255 255.255.255.0 echo-reply log-input
> 40 deny icmp any 0.0.0.0 255.255.255.0 echo-reply log-input
> 50 deny udp any any eq echo log-input
> 60 deny udp any eq echo any log-input
> 70 permit ip any any
>
> My Justification for ACL Entries
>
>
> 1. Smurf and Fraggle are both directed at broadcast address. I am assuming
> my network is Class C
> 2.10 & 20 show if I am used as reflector
> 3.30 & 40 show if I am victim
> 4.50 and 60 are for Fraggle (same attack as Smurf but uses udp echo)
> 5.Last line will permit all other traffic
>
>
>
> Note.
>
> Also you can use
>
> No ip directed-broadcast
> ip verify unicast reverse-path
>
> Anyone like to correct me
>
> Reference:
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
> shtml
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Aamir Aziz
> Sent: Thursday, 24 August 2006 7:59 PM
> To: David Mitchell
> Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
> David
> Redfern (AU); ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> ok i think i am on the right track, thanks a lot guys, ok one last
> question,
> in case of UDP if i need to be more specific (my network in /24) then
> would
> this be the correct ACL for udp:
>
> deny udp any 0.0.0.255 255.255.255.0 echo
> deny udp any 0.0.0.0 255.255.255.0 echo
>
> There is no source echo here, do i need to put that when i am being more
> specific.
>
> Thanks
> Aamir
>
> **
>
>
> On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
>>
>> In my opinion, both of them would work. Obviously the first one is
>> more
>> specific. You could just deny icmp period and it would work. It is all
> in
>> the wording of the question as to exactly which you should implement.
>> ------------------------------
>>
>> *From:* Aamir Aziz [mailto:aamiraz77@gmail.com]
>> *Sent:* Wednesday, August 23, 2006 3:11 PM
>> *To:* David Mitchell
>> *Cc:* Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
>> David Redfern (AU); ccielab@groupstudy.com
>>
>> *Subject:* Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>>
>>
>> Hi all
>>
>>
>>
>> Many thanks for the all the replies. Ok so if i build the following ACL
>> (lets say on edge router) to protect myself from being the REFLECTOR and
> the
>> VICTIM for SMURF/Fraggle attack would this work:
>>
>>
>>
>> deny icmp any 0.0.0.255 255.255.255.0 echo
>>
>> deny icmp any 0.0.0.0 255.255.255.0 echo
>>
>> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
>>
>> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
>>
>> deny udp any any eq echo
>> deny udp any eq echo any
>> permit ip any any
>>
>>
>>
>> or this one (from
>>
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
> shtml#topic3
>> )
>>
>>
>>
>> deny icmp any any echo
>> deny icmp any any echo-reply
>> deny udp any any eq echo
>> deny udp any eq echo any
>>
>> permit ip any any
>>
>>
>>
>> Which of them would work? If both then which is appropriate for CCIE lab,
>> if neither then what is missing here.
>>
>>
>>
>> Many thanks
>>
>> Aamir
>>
>>
>>
>>
>>
>> On 8/23/06, *David Mitchell* <david.mitchell@centientnetworks.com> wrote:
>>
>> If my understanding of Smurf attacks is correct, your strategy would
>> succeed in stopping you from being the REFLECTOR, but not the VICTIM.
>>
>> If you are the VICTIM of a Smurf attack, the packets you will be seeing
>> will be unicast icmp echo-reply packets sourced from the REFLECTOR to
>> your address. This would be because the attacker spoofed your address
>> range and sent the icmp echo-requests to the reflector's broadcast
>> address, resulting in the reflector responding with the echo-reply's to
>> your addresses.
>>
>> If my understanding is correct, you would need to filter out icmp
>> echo-reply packets on the edge to stop this.
>>
>> Hopefully I understand this properly. So far I'm a two-time Security
>> lab failure!!
>>
>> - Dave
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Scott Morris
>> Sent: Wednesday, August 23, 2006 12:17 PM
>> To: 'Aamir Aziz'
>> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
>> Redfern (AU)'; ccielab@groupstudy.com
>> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>> If you are looking to stop an attack TO a router, I'd use:
>>
>> no ip directed-broadcast (on each interface)
>> no service udp-small-servers (which will shut down those udp ports)
>>
>> I believe both may be defaults now (Cisco is occasionally nice).
>>
>> If you have to filter on an edge, which makes more sense, I believe both
>> Brian and I have offered multiple methods of accomplishing this. One is
>> not
>> necessarily better than another. Below, I lay out the port numbers for
>> you,
>> so build an ACL matching each of those in udp as well as ICMP echo
>> coming
>> in.
>>
>> Building the ACL shouldn't be a difficult exercise as you know the
>> information below. In the middle of your exam (IMHO) you won't be
>> required
>> to memorize the multiple ports that a Fraggle attack may go after unless
>> it
>> is mentioned someplace on the DocCD. So build away! Come up with one
>> and
>> let's see what you got!
>>
>>
>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> JNCIE
>> #153, CISSP, et al.
>> CCSI/JNCI-M/JNCI-J
>> IPExpert VP - Curriculum Development
>> IPExpert Sr. Technical Instructor
>> smorris@ipexpert.com
>> http://www.ipexpert.com
>>
>>
>> _____
>>
>> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
>> Sent: Wednesday, August 23, 2006 10:09 AM
>> To: swm@emanon.com
>> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
>> (AU);
>> ccielab@groupstudy.com
>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>>
>> Dear Mr.Brian & Mr.Scott,
>>
>> Thank you for the valuable input, i think it was really helpfull but
>> lets
>> say in the exam if they clearly mention that it is a SMURF/Fraggle
>> attack
>> and we need to stop it using ACL then in your expert opinion what ACL
>> should
>> we use on the router?
>>
>> Thanks
>> Aamir
>>
>>
>> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>>
>> Well, look at the two attacks and what they are first.
>>
>> Smurf is an ICMP-based attack. Typically the echo-request packets are
>> sent
>> TO the subnet-broadcast address. This is simply stopped (and by
>> default)
>> with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
>> router closer to the Internet link using an extended ACL.
>>
>> Being that most Smurf attacks are also from spoofed addresses, "ip
>> verify
>> unicast reverse-path" or "ip verify unicast source reachable via any"
>> could
>> help. (<--RFC 2267) You could also rate-limit the information, but this
>> isn't the best solution!
>>
>> Fraggle is the same type of attack, except that it involves UDP packets
>> instead of ICMP ones. Typically it's directed at common unix-based echo
>> ports (7, 13, 17, 19). So the same methods will protect you.
>>
>> For TCP SYN attacks, that usually involves a bunch of embryonic
>> (half-open)
>> connections going on. Short of your router(s) monitoring the number of
>> initial TCP open requests that come in, there's not many good ways to do
>>
>> this! Firewalls (including CBAC) are certainly the best ways, but not
>> on
>> the R&S exam!!!
>>
>> You may have TCP Intercept on your exam covered by some of the more
>> generic
>> security features listed on the Blueprint! Look in the same security
>> command reference where the RPF information is at, and you'll see "ip
>> tcp
>> intercept" for some information on that.
>>
>> While you could rate-limit with an acl matching "tcp any any syn". Like
>>
>> many things which thing you choose as your solution may depend on
>> requirements of the lab!
>>
>> Just my thoughts...
>>
>>
>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> JNCIE
>> #153, CISSP, et al.
>> CCSI/JNCI-M/JNCI-J
>> IPExpert VP - Curriculum Development
>> IPExpert Sr. Technical Instructor
>> smorris@ipexpert.com
>> http://www.ipexpert.com <http://www.ipexpert.com>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Chris Broadway
>> Sent: Tuesday, August 22, 2006 11:21 AM
>> To: Peter Plak
>> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
>> ccielab@groupstudy.com
>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>> Group,
>>
>> Can we get the "Brians" and/or Scott to give us their opinion on the
>> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
>> everyone
>> has an opinion but have not heard from the ones I consider to be the
>> most
>> trusted sources.
>>
>> -Broadway
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> <http://www.groupstudy.com/list/CCIELab.html >
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ubaid Iftikhar \(AU\): "RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Previous message: Radoslav Vasilev: "Re: ping and services"
• Next in thread: Edouard Zorrilla: "Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Maybe reply: Edouard Zorrilla: "Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART