RE: ICMP Flooding

From: Andrew Bruce Caslow (abcaslow@netmasterclass.net)
Date: Wed Nov 22 2006 - 09:26:40 ART

• Next message: Joshua: "Redistribution Question"
• Previous message: j buss: "BGP confederation"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Nisha,

I am assuming that you are interested in reading about ICMP flooding to
better understand a common Denial of Service attack. If this is the case, we
have a page in the NMC Technical Library on this topic. Later today, I will
make it publicly available to you so that you can read it. I will post the
link to the GroupStudy forum. However, for now, let me give you a brief
explanation of one form of an ICMP flood. Specifically, it is an ICMP
ECHO-REPLY flood attack and is usually called a "smurf" attack.

A "smurf" attack has three basic components:

1). An attacking end station
2). A target interface to be "victimized"
3). An amplifying network

Notice that the first two components are end devices - (1) is an end station
and (2) is an interface. However, component #3 is a "network". This is very
imporant to remember when attempting to understand an icmp flood "smurf"
attack. Why is component #3 an "amplifying" network? I will explain below.

Now, how are these 3 components used to generate an icmp flood/smurf attack.

Here is a brief description:

Let's set the stage:

Let's say the attacking end station has locally assigned IP source address
of 100.1.1.1

And let's say the target/victim interface has the locally assigned IP
address of 13.13.13.13

And finally, let's say the amplifying network has the prefix of
140.10.1.0/24 and it has 100 attached devices. Also, let's assume that the
router that attaches this amplifying network to the Internet accepts and
forwards "directed-broadcasts", such as in this specific case
"140.10.1.255".

Now, let's put the icmp flood/"smurf" attack into play:

STEP 1: The attacking end station initiates the following ping with the
following carefully selected parameters:

Ping

 Destination Address (Parameter #1): 140.10.1.255 (a directed broadcast to
the amplifying network)

 Source Address (Parameter #2): 13.13.13.13 (This no the source addr. Of the
attacking end station!! But the source addr of the target/victim network)

 Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)

It is important to note the the attacking end stations actual source address
(100.1.1.1) is in no way referenced in this ping. It remains stealthily
anonymous during this smurf attack.

When this ping is initiated, the directed broadcast ping is forwarded to the
amplifying network and all 100 end stations will respond to the directed
broadcast PING/ICMP ECHO request (provided that they are not explicitly
configured to ignore such ICMP ECHO requests). This will result in the
generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your ICMP
flood, or at least one form of it.

All of these ICMP ECHO-REPLIES will be forwarded to the target/victim
interface instead of the originating source end station (since the ping was
initiated with the source address of the target/victim interface). The
intended result is to negatively impact the performance of the target/victim
interface - thus a "denial of service" state has been attained.

The NMC Tech Lib page provides a diagram to this description. It is easier
to understand with a diagram. I hope this brief description was of some
help.

Overall, A good reference for securing networks is:

http://www.cymru.com/Documents/secure-ios-template.html

This is a link to Bob Thomas' secure IOS configuration template. In this
template, he supplies lots of good recommended IOS commands to enter into a
Cisco router configuration along with a brief description of each command.

He supplies lots of other excellent router security related content on this
site. Perhaps, the most famous resource on this site is his bogon list or
list of "unallocated" IP prefixes. For more on bogons, see:

http://www.cymru.com/Bogons/

HTH,

-Bruce Caslow CCIE #3139
 NetMastClass, LLC
 www.netmasterclass.net

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of nisha rani
> Sent: Wednesday, November 22, 2006 4:36 AM
> To: Cisco certification
> Subject: ICMP Flooding
>
> Can someone provide me a good link on ICMP flooding?
>
> Thanks
> nisha
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> nisha rani
> Sent: Wednesday, November 22, 2006 4:36 AM
> To: Cisco certification
> Subject: ICMP Flooding
>
> Can someone provide me a good link on ICMP flooding?
>
> Thanks
> nisha
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joshua: "Redistribution Question"
• Previous message: j buss: "BGP confederation"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART