RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

From: Ubaid Iftikhar \(AU\) (Magmax@bigpond.net.au)
Date: Sat Oct 28 2006 - 09:15:11 ART

Every public ip address range will have a subnet and broadcast address.

-----Original Message-----
From: Edouard Zorrilla [mailto:ezorrilla@tsf.com.pe]
Sent: Saturday, 28 October 2006 9:31 PM
To: Ubaid Iftikhar (AU); 'Aamir Aziz'; 'David Mitchell'
Cc: 'Scott Morris'; 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio';
'Dusty'; 'David Redfern (AU)'; ccielab@groupstudy.com
Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

Sir,

"My concept is Smurf attack will be destined to my public ip address range".

All right, your public address is not a broadcast address, is it ?

"And we know Smurf attack destination is always subnet address or
broadcast". All right if you are the reflector, if so you would not get
echo-reply but you would echo-request.

Regards
----- Original Message -----
From: "Ubaid Iftikhar (AU)" <Magmax@bigpond.net.au>
To: "'Edouard Zorrilla'" <ezorrilla@tsf.com.pe>; "'Aamir Aziz'"
<aamiraz77@gmail.com>; "'David Mitchell'"
<david.mitchell@centientnetworks.com>
Cc: "'Scott Morris'" <swm@emanon.com>; "'Chris Broadway'"
<midatlanticnet@gmail.com>; "'Peter Plak'" <plukkie@gmail.com>; "'Victor
Cappuccio'" <cvictor@protokolgroup.com>; "'Dusty'" <dustygoody@gmail.com>;
"'David Redfern (AU)'" <David.Redfern@didata.com.au>;
<ccielab@groupstudy.com>
Sent: Saturday, October 28, 2006 6:23 AM
Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT

> Edouard,
>
> My concept is Smurf attack will be destined to my public ip address range.
> And we know Smurf attack destination is always subnet address or
> broadcast.
>
> Let say destination address was x.x.x.x (not my public address range) my
> company edge router will drop it (no route)
>
> Just my 2 cents
>
> Any takers???
>
> Ubaid
>
> -----Original Message-----
> From: Edouard Zorrilla [mailto:ezorrilla@tsf.com.pe]
> Sent: Saturday, 28 October 2006 8:43 PM
> To: Ubaid Iftikhar (AU); 'Aamir Aziz'; 'David Mitchell'
> Cc: 'Scott Morris'; 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio';
> 'Dusty'; 'David Redfern (AU)'; ccielab@groupstudy.com
> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
> Sir,
>
> If I am a victim, I don't know where they are coming from and I don't know
> which host they are destined for so I must use any. Why include an
> echo-reply line destined for the subnet and broadcast addresses ? I do not
> think so a smurf spoofed source will be this address, rather than any
> address inside my network.
> I would say:
> 30 & 40 = deny icmp any any echo-reply
> will be the right one.
>
> Just to say something.
> Regards + Thanks
>
> ----- Original Message -----
> From: "Ubaid Iftikhar (AU)" <Magmax@bigpond.net.au>
> To: "'Aamir Aziz'" <aamiraz77@gmail.com>; "'David Mitchell'"
> <david.mitchell@centientnetworks.com>
> Cc: "'Scott Morris'" <swm@emanon.com>; "'Chris Broadway'"
> <midatlanticnet@gmail.com>; "'Peter Plak'" <plukkie@gmail.com>; "'Victor
> Cappuccio'" <cvictor@protokolgroup.com>; "'Dusty'" <dustygoody@gmail.com>;
> "'David Redfern (AU)'" <David.Redfern@didata.com.au>;
> <ccielab@groupstudy.com>
> Sent: Friday, October 27, 2006 8:10 PM
> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>
>
>> Guys,
>>
>> I think I have the right ACL for SMURF Attacks
>>
>> no service udp-small-servers
>>
>>
>> Extended IP access list SMURF
>> 10 deny icmp any 0.0.0.255 255.255.255.0 echo log-input
>> 20 deny icmp any 0.0.0.0 255.255.255.0 echo log-input
>> 30 deny icmp any 0.0.0.255 255.255.255.0 echo-reply log-input
>> 40 deny icmp any 0.0.0.0 255.255.255.0 echo-reply log-input
>> 50 deny udp any any eq echo log-input
>> 60 deny udp any eq echo any log-input
>> 70 permit ip any any
>>
>> My Justification for ACL Entries
>>
>>
>> 1. Smurf and Fraggle are both directed at broadcast address. I am
>> assuming
>> my network is Class C
>> 2.10 & 20 show if I am used as reflector
>> 3.30 & 40 show if I am victim
>> 4.50 and 60 are for Fraggle (same attack as Smurf but uses udp echo)
>> 5.Last line will permit all other traffic
>>
>>
>>
>> Note.
>>
>> Also you can use
>>
>> No ip directed-broadcast
>> ip verify unicast reverse-path
>>
>> Anyone like to correct me
>>
>> Reference:
>>
>
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
>> shtml
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Aamir Aziz
>> Sent: Thursday, 24 August 2006 7:59 PM
>> To: David Mitchell
>> Cc: Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
>> David
>> Redfern (AU); ccielab@groupstudy.com
>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>
>> ok i think i am on the right track, thanks a lot guys, ok one last
>> question,
>> in case of UDP if i need to be more specific (my network in /24) then
>> would
>> this be the correct ACL for udp:
>>
>> deny udp any 0.0.0.255 255.255.255.0 echo
>> deny udp any 0.0.0.0 255.255.255.0 echo
>>
>> There is no source echo here, do i need to put that when i am being more
>> specific.
>>
>> Thanks
>> Aamir
>>
>> **
>>
>>
>> On 8/23/06, David Mitchell <david.mitchell@centientnetworks.com> wrote:
>>>
>>> In my opinion, both of them would work. Obviously the first one is
>>> more
>>> specific. You could just deny icmp period and it would work. It is all
>> in
>>> the wording of the question as to exactly which you should implement.
>>> ------------------------------
>>>
>>> *From:* Aamir Aziz [mailto:aamiraz77@gmail.com]
>>> *Sent:* Wednesday, August 23, 2006 3:11 PM
>>> *To:* David Mitchell
>>> *Cc:* Scott Morris; Chris Broadway; Peter Plak; Victor Cappuccio; Dusty;
>>> David Redfern (AU); ccielab@groupstudy.com
>>>
>>> *Subject:* Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>>
>>>
>>>
>>> Hi all
>>>
>>>
>>>
>>> Many thanks for the all the replies. Ok so if i build the following ACL
>>> (lets say on edge router) to protect myself from being the REFLECTOR and
>> the
>>> VICTIM for SMURF/Fraggle attack would this work:
>>>
>>>
>>>
>>> deny icmp any 0.0.0.255 255.255.255.0 echo
>>>
>>> deny icmp any 0.0.0.0 255.255.255.0 echo
>>>
>>> deny icmp any 0.0.0.255 255.255.255.0 echo-reply
>>>
>>> deny icmp any 0.0.0.0 255.255.255.0 echo-reply
>>>
>>> deny udp any any eq echo
>>> deny udp any eq echo any
>>> permit ip any any
>>>
>>>
>>>
>>> or this one (from
>>>
>>
>
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.
>> shtml#topic3
>>> )
>>>
>>>
>>>
>>> deny icmp any any echo
>>> deny icmp any any echo-reply
>>> deny udp any any eq echo
>>> deny udp any eq echo any
>>>
>>> permit ip any any
>>>
>>>
>>>
>>> Which of them would work? If both then which is appropriate for CCIE
>>> lab,
>>> if neither then what is missing here.
>>>
>>>
>>>
>>> Many thanks
>>>
>>> Aamir
>>>
>>>
>>>
>>>
>>>
>>> On 8/23/06, *David Mitchell* <david.mitchell@centientnetworks.com>
>>> wrote:
>>>
>>> If my understanding of Smurf attacks is correct, your strategy would
>>> succeed in stopping you from being the REFLECTOR, but not the VICTIM.
>>>
>>> If you are the VICTIM of a Smurf attack, the packets you will be seeing
>>> will be unicast icmp echo-reply packets sourced from the REFLECTOR to
>>> your address. This would be because the attacker spoofed your address
>>> range and sent the icmp echo-requests to the reflector's broadcast
>>> address, resulting in the reflector responding with the echo-reply's to
>>> your addresses.
>>>
>>> If my understanding is correct, you would need to filter out icmp
>>> echo-reply packets on the edge to stop this.
>>>
>>> Hopefully I understand this properly. So far I'm a two-time Security
>>> lab failure!!
>>>
>>> - Dave
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Scott Morris
>>> Sent: Wednesday, August 23, 2006 12:17 PM
>>> To: 'Aamir Aziz'
>>> Cc: 'Chris Broadway'; 'Peter Plak'; 'Victor Cappuccio'; 'Dusty'; 'David
>>> Redfern (AU)'; ccielab@groupstudy.com
>>> Subject: RE: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>>
>>> If you are looking to stop an attack TO a router, I'd use:
>>>
>>> no ip directed-broadcast (on each interface)
>>> no service udp-small-servers (which will shut down those udp ports)
>>>
>>> I believe both may be defaults now (Cisco is occasionally nice).
>>>
>>> If you have to filter on an edge, which makes more sense, I believe both
>>> Brian and I have offered multiple methods of accomplishing this. One is
>>> not
>>> necessarily better than another. Below, I lay out the port numbers for
>>> you,
>>> so build an ACL matching each of those in udp as well as ICMP echo
>>> coming
>>> in.
>>>
>>> Building the ACL shouldn't be a difficult exercise as you know the
>>> information below. In the middle of your exam (IMHO) you won't be
>>> required
>>> to memorize the multiple ports that a Fraggle attack may go after unless
>>> it
>>> is mentioned someplace on the DocCD. So build away! Come up with one
>>> and
>>> let's see what you got!
>>>
>>>
>>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>>> JNCIE
>>> #153, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-J
>>> IPExpert VP - Curriculum Development
>>> IPExpert Sr. Technical Instructor
>>> smorris@ipexpert.com
>>> http://www.ipexpert.com
>>>
>>>
>>> _____
>>>
>>> From: Aamir Aziz [mailto:aamiraz77@gmail.com]
>>> Sent: Wednesday, August 23, 2006 10:09 AM
>>> To: swm@emanon.com
>>> Cc: Chris Broadway; Peter Plak; Victor Cappuccio; Dusty; David Redfern
>>> (AU);
>>> ccielab@groupstudy.com
>>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>>
>>>
>>> Dear Mr.Brian & Mr.Scott,
>>>
>>> Thank you for the valuable input, i think it was really helpfull but
>>> lets
>>> say in the exam if they clearly mention that it is a SMURF/Fraggle
>>> attack
>>> and we need to stop it using ACL then in your expert opinion what ACL
>>> should
>>> we use on the router?
>>>
>>> Thanks
>>> Aamir
>>>
>>>
>>> On 8/22/06, Scott Morris <swm@emanon.com> wrote:
>>>
>>> Well, look at the two attacks and what they are first.
>>>
>>> Smurf is an ICMP-based attack. Typically the echo-request packets are
>>> sent
>>> TO the subnet-broadcast address. This is simply stopped (and by
>>> default)
>>> with "no ip directed-broadcast" on a LAN. Or you can filter on an edge
>>> router closer to the Internet link using an extended ACL.
>>>
>>> Being that most Smurf attacks are also from spoofed addresses, "ip
>>> verify
>>> unicast reverse-path" or "ip verify unicast source reachable via any"
>>> could
>>> help. (<--RFC 2267) You could also rate-limit the information, but this
>>> isn't the best solution!
>>>
>>> Fraggle is the same type of attack, except that it involves UDP packets
>>> instead of ICMP ones. Typically it's directed at common unix-based echo
>>> ports (7, 13, 17, 19). So the same methods will protect you.
>>>
>>> For TCP SYN attacks, that usually involves a bunch of embryonic
>>> (half-open)
>>> connections going on. Short of your router(s) monitoring the number of
>>> initial TCP open requests that come in, there's not many good ways to do
>>>
>>> this! Firewalls (including CBAC) are certainly the best ways, but not
>>> on
>>> the R&S exam!!!
>>>
>>> You may have TCP Intercept on your exam covered by some of the more
>>> generic
>>> security features listed on the Blueprint! Look in the same security
>>> command reference where the RPF information is at, and you'll see "ip
>>> tcp
>>> intercept" for some information on that.
>>>
>>> While you could rate-limit with an acl matching "tcp any any syn". Like
>>>
>>> many things which thing you choose as your solution may depend on
>>> requirements of the lab!
>>>
>>> Just my thoughts...
>>>
>>>
>>> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>>> JNCIE
>>> #153, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-J
>>> IPExpert VP - Curriculum Development
>>> IPExpert Sr. Technical Instructor
>>> smorris@ipexpert.com
>>> http://www.ipexpert.com <http://www.ipexpert.com>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Chris Broadway
>>> Sent: Tuesday, August 22, 2006 11:21 AM
>>> To: Peter Plak
>>> Cc: Victor Cappuccio; Dusty; David Redfern (AU); Aamir Aziz;
>>> ccielab@groupstudy.com
>>> Subject: Re: ICMP Flooding vs SMURF Attack---THE BRIANS AND SCOTT
>>>
>>> Group,
>>>
>>> Can we get the "Brians" and/or Scott to give us their opinion on the
>>> definitive ACL to log smurf, fraggle, and TCP syn attacks? I think
>>> everyone
>>> has an opinion but have not heard from the ones I consider to be the
>>> most
>>> trusted sources.
>>>
>>> -Broadway
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>> <http://www.groupstudy.com/list/CCIELab.html >
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:07 ART