From: Mathew (mathewfer@gmail.com)
Date: Fri Nov 24 2006 - 02:59:59 ART
Hi Andrew,
Can you pls give us the link to this on your website?
On 11/22/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
> Hi Nisha,
>
> I am assuming that you are interested in reading about ICMP flooding to
> better understand a common Denial of Service attack. If this is the case, we
> have a page in the NMC Technical Library on this topic. Later today, I will
> make it publicly available to you so that you can read it. I will post the
> link to the GroupStudy forum. However, for now, let me give you a brief
> explanation of one form of an ICMP flood. Specifically, it is an ICMP
> ECHO-REPLY flood attack and is usually called a "smurf" attack.
>
> A "smurf" attack has three basic components:
>
> 1). An attacking end station
> 2). A target interface to be "victimized"
> 3). An amplifying network
>
> Notice that the first two components are end devices - (1) is an end station
> and (2) is an interface. However, component #3 is a "network". This is very
> imporant to remember when attempting to understand an icmp flood "smurf"
> attack. Why is component #3 an "amplifying" network? I will explain below.
>
> Now, how are these 3 components used to generate an icmp flood/smurf attack.
>
>
> Here is a brief description:
>
> Let's set the stage:
>
> Let's say the attacking end station has locally assigned IP source address
> of 100.1.1.1
>
> And let's say the target/victim interface has the locally assigned IP
> address of 13.13.13.13
>
> And finally, let's say the amplifying network has the prefix of
> 140.10.1.0/24 and it has 100 attached devices. Also, let's assume that the
> router that attaches this amplifying network to the Internet accepts and
> forwards "directed-broadcasts", such as in this specific case
> "140.10.1.255".
>
> Now, let's put the icmp flood/"smurf" attack into play:
>
> STEP 1: The attacking end station initiates the following ping with the
> following carefully selected parameters:
>
> Ping
>
> Destination Address (Parameter #1): 140.10.1.255 (a directed broadcast to
> the amplifying network)
>
> Source Address (Parameter #2): 13.13.13.13 (This no the source addr. Of the
> attacking end station!! But the source addr of the target/victim network)
>
> Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)
>
> It is important to note the the attacking end stations actual source address
> (100.1.1.1) is in no way referenced in this ping. It remains stealthily
> anonymous during this smurf attack.
>
> When this ping is initiated, the directed broadcast ping is forwarded to the
> amplifying network and all 100 end stations will respond to the directed
> broadcast PING/ICMP ECHO request (provided that they are not explicitly
> configured to ignore such ICMP ECHO requests). This will result in the
> generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your ICMP
> flood, or at least one form of it.
>
> All of these ICMP ECHO-REPLIES will be forwarded to the target/victim
> interface instead of the originating source end station (since the ping was
> initiated with the source address of the target/victim interface). The
> intended result is to negatively impact the performance of the target/victim
> interface - thus a "denial of service" state has been attained.
>
> The NMC Tech Lib page provides a diagram to this description. It is easier
> to understand with a diagram. I hope this brief description was of some
> help.
>
> Overall, A good reference for securing networks is:
>
> http://www.cymru.com/Documents/secure-ios-template.html
>
> This is a link to Bob Thomas' secure IOS configuration template. In this
> template, he supplies lots of good recommended IOS commands to enter into a
> Cisco router configuration along with a brief description of each command.
>
> He supplies lots of other excellent router security related content on this
> site. Perhaps, the most famous resource on this site is his bogon list or
> list of "unallocated" IP prefixes. For more on bogons, see:
>
> http://www.cymru.com/Bogons/
>
> HTH,
>
> -Bruce Caslow CCIE #3139
> NetMastClass, LLC
> www.netmasterclass.net
>
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of nisha rani
> > Sent: Wednesday, November 22, 2006 4:36 AM
> > To: Cisco certification
> > Subject: ICMP Flooding
> >
> > Can someone provide me a good link on ICMP flooding?
> >
> > Thanks
> > nisha
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > nisha rani
> > Sent: Wednesday, November 22, 2006 4:36 AM
> > To: Cisco certification
> > Subject: ICMP Flooding
> >
> > Can someone provide me a good link on ICMP flooding?
> >
> > Thanks
> > nisha
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- ThanksMathew
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART