RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Ubaid Iftikhar \(AU\) (Magmax@bigpond.net.au)
Date: Sat Oct 28 2006 - 08:23:26 ART

Edouard,

My concept is Smurf attack will be destined to my public ip address range.
And we know Smurf attack destination is always subnet address or broadcast.

Let say destination address was x.x.x.x (not my public address range) my
company edge router will drop it (no route)

Just my 2 cents

Any takers???

Ubaid

-----Original Message-----
From: Edouard Zorrilla [mailto:ezorrilla@tsf.com.pe]
Sent: Saturday, 28 October 2006 8:43 PM
To: Ubaid Iftikhar (AU); 'Aamir Aziz'; 'David Mitchell'
Cc: 'Scott Morris'; 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio';
'Dusty'; 'David Redfern (AU)'; ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

Sir,

If I am a victim, I don't know where they are coming from and I don't know
which host they are destined for so I must use any. Why include an
echo-reply line destined for the subnet and broadcast addresses ? I do not
think so a smurf spoofed source will be this address, rather than any
address inside my network.
I would say:
30 & 40 = deny icmp any any echo-reply
will be the right one.

Just to say something.
Regards + Thanks

----- Original Message -----
From: "Ubaid Iftikhar (AU)" <Magmax@bigpond.net.au>
To: "'Aamir Aziz'" <aamiraz77@gmail.com>; "'David Mitchell'"
<david.mitchell@centientnetworks.com>
Cc: "'Scott Morris'" <swm@emanon.com>; "'Chris Broadway'"
<midatlanticnet@gmail.com>; "'Peter Plak'" <plukkie@gmail.com>; "'Victor
Cappuccio'" <cvictor@protokolgroup.com>; "'Dusty'" <dustygoody@gmail.com>;
"'David Redfern (AU)'" <David.Redfern@didata.com.au>;
<ccielab@groupstudy.com>
Sent: Friday, October 27, 2006 8:10 PM
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

> Guys,
>
> I think I have the right ACL for SMURF Attacks
>
> no service udp-small-servers
>
>
> Extended IP access list SMURF
> 10 deny icmp any 0.0.0.255 255.255.255.0 echo log-input
> 20 deny icmp any 0.0.0.0 255.255.255.0 echo log-input
> 30 deny icmp any 0.0.0.255 255.255.255.0 echo-reply log-input
> 40 deny icmp any 0.0.0.0 255.255.255.0 echo-reply log-input
> 50 deny udp any any eq echo log-input
> 60 deny udp any eq echo any log-input
> 70 permit ip any any
>
> My Justification for ACL Entries
>
>
> 1. Smurf and Fraggle are both directed at broadcast address. I am assuming
> my network is Class C
> 2.10 & 20 show if I am used as reflector
> 3.30 & 40 show if I am victim
> 4.50 and 60 are for Fraggle (same attack as Smurf but uses udp echo)
> 5.Last line will permit all other traffic
>
>
>
> Note.
>
> Also you can use
>
> No ip directed-broadcast
> ip verify unicast reverse-path
>
> Anyone like to correct me
>
> Reference:
>
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
> shtml
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Aamir Aziz
> Sent: Thursday, 24 August 2006 7:59 PM
> To: David Mitchell
> Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
> David
> Redfern (AU); ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> ok i think i am on the right track, thanks a lot guys, ok one last
> question,
> in case of UDP if i need to be more specific (my network in /24) then
> would
> this be the correct ACL for udp:
>
> deny udp any 0.0.0.255 255.255.255.0 echo
> deny udp any 0.0.0.0 255.255.255.0 echo
>
> There is no source echo here, do i need to put that when i am being more
> specific.
>
> Thanks
> Aamir
>
> **
>
>
> On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
>>
>> In my opinion, both of them would work. Obviously the first one is
>> more
>> specific. You could just deny icmp period and it would work. It is all
> in
>> the wording of the question as to exactly which you should implement.
>> ------------------------------
>>
>> *From:* Aamir Aziz [mailto:aamiraz77@gmail.com]
>> *Sent:* Wednesday, August 23, 2006 3:11 PM
>> *To:* David Mitchell
>> *Cc:* Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
>> David Redfern (AU); ccielab@groupstudy.com
>>
>> *Subject:* Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>>
>>
>> Hi all
>>
>>
>>
>> Many thanks for the all the replies. Ok so if i build the following ACL
>> (lets say on edge router) to protect myself from being the REFLECTOR and
> the
>> VICTIM for SMURF/Fraggle attack would this work:
>>
>>
>>
>> deny icmp any 0.0.0.255 255.255.255.0 echo
>>
>> deny icmp any 0.0.0.0 255.255.255.0 echo
>>
>> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
>>
>> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
>>
>> deny udp any any eq echo
>> deny udp any eq echo any
>> permit ip any any
>>
>>
>>
>> or this one (from
>>
>
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
> shtml#topic3
>> )
>>
>>
>>
>> deny icmp any any echo
>> deny icmp any any echo-reply
>> deny udp any any eq echo
>> deny udp any eq echo any
>>
>> permit ip any any
>>
>>
>>
>> Which of them would work? If both then which is appropriate for CCIE lab,
>> if neither then what is missing here.
>>
>>
>>
>> Many thanks
>>
>> Aamir
>>
>>
>>
>>
>>
>> On 8/23/06, *David Mitchell* <david.mitchell@centientnetworks.com> wrote:
>>
>> If my understanding of Smurf attacks is correct, your strategy would
>> succeed in stopping you from being the REFLECTOR, but not the VICTIM.
>>
>> If you are the VICTIM of a Smurf attack, the packets you will be seeing
>> will be unicast icmp echo-reply packets sourced from the REFLECTOR to
>> your address. This would be because the attacker spoofed your address
>> range and sent the icmp echo-requests to the reflector's broadcast
>> address, resulting in the reflector responding with the echo-reply's to
>> your addresses.
>>
>> If my understanding is correct, you would need to filter out icmp
>> echo-reply packets on the edge to stop this.
>>
>> Hopefully I understand this properly. So far I'm a two-time Security
>> lab failure!!
>>
>> - Dave
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Scott Morris
>> Sent: Wednesday, August 23, 2006 12:17 PM
>> To: 'Aamir Aziz'
>> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
>> Redfern (AU)'; ccielab@groupstudy.com
>> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>> If you are looking to stop an attack TO a router, I'd use:
>>
>> no ip directed-broadcast (on each interface)
>> no service udp-small-servers (which will shut down those udp ports)
>>
>> I believe both may be defaults now (Cisco is occasionally nice).
>>
>> If you have to filter on an edge, which makes more sense, I believe both
>> Brian and I have offered multiple methods of accomplishing this. One is
>> not
>> necessarily better than another. Below, I lay out the port numbers for
>> you,
>> so build an ACL matching each of those in udp as well as ICMP echo
>> coming
>> in.
>>
>> Building the ACL shouldn't be a difficult exercise as you know the
>> information below. In the middle of your exam (IMHO) you won't be
>> required
>> to memorize the multiple ports that a Fraggle attack may go after unless
>> it
>> is mentioned someplace on the DocCD. So build away! Come up with one
>> and
>> let's see what you got!
>>
>>
>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> JNCIE
>> #153, CISSP, et al.
>> CCSI/JNCI-M/JNCI-J
>> IPExpert VP - Curriculum Development
>> IPExpert Sr. Technical Instructor
>> smorris@ipexpert.com
>> http://www.ipexpert.com
>>
>>
>> _____
>>
>> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
>> Sent: Wednesday, August 23, 2006 10:09 AM
>> To: swm@emanon.com
>> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
>> (AU);
>> ccielab@groupstudy.com
>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>>
>> Dear Mr.Brian & Mr.Scott,
>>
>> Thank you for the valuable input, i think it was really helpfull but
>> lets
>> say in the exam if they clearly mention that it is a SMURF/Fraggle
>> attack
>> and we need to stop it using ACL then in your expert opinion what ACL
>> should
>> we use on the router?
>>
>> Thanks
>> Aamir
>>
>>
>> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>>
>> Well, look at the two attacks and what they are first.
>>
>> Smurf is an ICMP-based attack. Typically the echo-request packets are
>> sent
>> TO the subnet-broadcast address. This is simply stopped (and by
>> default)
>> with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
>> router closer to the Internet link using an extended ACL.
>>
>> Being that most Smurf attacks are also from spoofed addresses, "ip
>> verify
>> unicast reverse-path" or "ip verify unicast source reachable via any"
>> could
>> help. (<--RFC 2267) You could also rate-limit the information, but this
>> isn't the best solution!
>>
>> Fraggle is the same type of attack, except that it involves UDP packets
>> instead of ICMP ones. Typically it's directed at common unix-based echo
>> ports (7, 13, 17, 19). So the same methods will protect you.
>>
>> For TCP SYN attacks, that usually involves a bunch of embryonic
>> (half-open)
>> connections going on. Short of your router(s) monitoring the number of
>> initial TCP open requests that come in, there's not many good ways to do
>>
>> this! Firewalls (including CBAC) are certainly the best ways, but not
>> on
>> the R&S exam!!!
>>
>> You may have TCP Intercept on your exam covered by some of the more
>> generic
>> security features listed on the Blueprint! Look in the same security
>> command reference where the RPF information is at, and you'll see "ip
>> tcp
>> intercept" for some information on that.
>>
>> While you could rate-limit with an acl matching "tcp any any syn". Like
>>
>> many things which thing you choose as your solution may depend on
>> requirements of the lab!
>>
>> Just my thoughts...
>>
>>
>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>> JNCIE
>> #153, CISSP, et al.
>> CCSI/JNCI-M/JNCI-J
>> IPExpert VP - Curriculum Development
>> IPExpert Sr. Technical Instructor
>> smorris@ipexpert.com
>> http://www.ipexpert.com <http://www.ipexpert.com>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Chris Broadway
>> Sent: Tuesday, August 22, 2006 11:21 AM
>> To: Peter Plak
>> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
>> ccielab@groupstudy.com
>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>> Group,
>>
>> Can we get the "Brians" and/or Scott to give us their opinion on the
>> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
>> everyone
>> has an opinion but have not heard from the ones I consider to be the
>> most
>> trusted sources.
>>
>> -Broadway
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> <http://www.groupstudy.com/list/CCIELab.html >
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART