Re[2]: ICMP Flooding

From: cadet (cadet22@gmail.com)
Date: Sat Nov 25 2006 - 17:29:14 ART

• Next message: Josef A: "Re: OSPF: distribute-list route-map"
• Previous message: cadet: "OSPF: distribute-list route-map"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Bruce !
It's very useful documents, but earlier in the forum were
references on the protection / logging ICMP flooding /SMURF attacks
(ACLs).
It would be desirable to hear your opinion if it possible for example
on your network in the public doc.

Regards.
Max.

> Hi Mathew,

> As promised earlier, a five page ICMP flooding/SMURF technical note is
> posted on the NMC site for public access at:

> http://netmasterclass.com/site/articles/A%20Brief%20Description%20of%20an%20
> ICMP%20Flood%20Attack.pdf

> The technical note is 5 pages in length. It is pretty much a restatement of
> what I posted a few days ago on the subject. However, the posted technical
> note contains a diagram and a set of simple configurations as well as a few
> simple steps - such as how initiate a specially crafted ping and enable some
> debug tools - so that you can see an ICMP flood/SMURF attack in action.

> The test configuration only involves three routers. We used Dynamips to
> generate the tests.

> HTH,

> -Bruce Caslow CCIE #3139
> NetMasterClass, LLC
> www.netmasterclass.net

>> -----Original Message-----
>> From: Mathew [mailto:mathewfer@gmail.com]
>> Sent: Friday, November 24, 2006 1:00 AM
>> To: Andrew Bruce Caslow
>> Cc: nisha rani; Cisco certification
>> Subject: Re: ICMP Flooding
>>
>> Hi Andrew,
>>
>> Can you pls give us the link to this on your website?
>>
>>
>> On 11/22/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
>> > Hi Nisha,
>> >
>> > I am assuming that you are interested in reading about ICMP flooding to
>> > better understand a common Denial of Service attack. If this is the
>> case, we
>> > have a page in the NMC Technical Library on this topic. Later today, I
>> will
>> > make it publicly available to you so that you can read it. I will post
>> the
>> > link to the GroupStudy forum. However, for now, let me give you a brief
>> > explanation of one form of an ICMP flood. Specifically, it is an ICMP
>> > ECHO-REPLY flood attack and is usually called a "smurf" attack.
>> >
>> > A "smurf" attack has three basic components:
>> >
>> > 1). An attacking end station
>> > 2). A target interface to be "victimized"
>> > 3). An amplifying network
>> >
>> > Notice that the first two components are end devices - (1) is an end
>> station
>> > and (2) is an interface. However, component #3 is a "network". This is
>> very
>> > imporant to remember when attempting to understand an icmp flood "smurf"
>> > attack. Why is component #3 an "amplifying" network? I will explain
>> below.
>> >
>> > Now, how are these 3 components used to generate an icmp flood/smurf
>> attack.
>> >
>> >
>> > Here is a brief description:
>> >
>> > Let's set the stage:
>> >
>> > Let's say the attacking end station has locally assigned IP source
>> address
>> > of 100.1.1.1
>> >
>> > And let's say the target/victim interface has the locally assigned IP
>> > address of 13.13.13.13
>> >
>> > And finally, let's say the amplifying network has the prefix of
>> > 140.10.1.0/24 and it has 100 attached devices. Also, let's assume that
>> the
>> > router that attaches this amplifying network to the Internet accepts and
>> > forwards "directed-broadcasts", such as in this specific case
>> > "140.10.1.255".
>> >
>> > Now, let's put the icmp flood/"smurf" attack into play:
>> >
>> > STEP 1: The attacking end station initiates the following ping with the
>> > following carefully selected parameters:
>> >
>> > Ping
>> >
>> > Destination Address (Parameter #1): 140.10.1.255 (a directed broadcast
>> to
>> > the amplifying network)
>> >
>> > Source Address (Parameter #2): 13.13.13.13 (This no the source addr. Of
>> the
>> > attacking end station!! But the source addr of the target/victim
>> network)
>> >
>> > Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)
>> >
>> > It is important to note the the attacking end stations actual source
>> address
>> > (100.1.1.1) is in no way referenced in this ping. It remains stealthily
>> > anonymous during this smurf attack.
>> >
>> > When this ping is initiated, the directed broadcast ping is forwarded to
>> the
>> > amplifying network and all 100 end stations will respond to the directed
>> > broadcast PING/ICMP ECHO request (provided that they are not explicitly
>> > configured to ignore such ICMP ECHO requests). This will result in the
>> > generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your ICMP
>> > flood, or at least one form of it.
>> >
>> > All of these ICMP ECHO-REPLIES will be forwarded to the target/victim
>> > interface instead of the originating source end station (since the ping
>> was
>> > initiated with the source address of the target/victim interface). The
>> > intended result is to negatively impact the performance of the
>> target/victim
>> > interface - thus a "denial of service" state has been attained.
>> >
>> > The NMC Tech Lib page provides a diagram to this description. It is
>> easier
>> > to understand with a diagram. I hope this brief description was of some
>> > help.
>> >
>> > Overall, A good reference for securing networks is:
>> >
>> > http://www.cymru.com/Documents/secure-ios-template.html
>> >
>> > This is a link to Bob Thomas' secure IOS configuration template. In this
>> > template, he supplies lots of good recommended IOS commands to enter
>> into a
>> > Cisco router configuration along with a brief description of each
>> command.
>> >
>> > He supplies lots of other excellent router security related content on
>> this
>> > site. Perhaps, the most famous resource on this site is his bogon list
>> or
>> > list of "unallocated" IP prefixes. For more on bogons, see:
>> >
>> > http://www.cymru.com/Bogons/
>> >
>> > HTH,
>> >
>> > -Bruce Caslow CCIE #3139
>> > NetMastClass, LLC
>> > www.netmasterclass.net
>> >
>> >
>> >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> > > Of nisha rani
>> > > Sent: Wednesday, November 22, 2006 4:36 AM
>> > > To: Cisco certification
>> > > Subject: ICMP Flooding
>> > >
>> > > Can someone provide me a good link on ICMP flooding?
>> > >
>> > > Thanks
>> > > nisha
>> > >
>> > > ______________________________________________________________________
>> > > _ Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > > -----Original Message-----
>> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> Of
>> > > nisha rani
>> > > Sent: Wednesday, November 22, 2006 4:36 AM
>> > > To: Cisco certification
>> > > Subject: ICMP Flooding
>> > >
>> > > Can someone provide me a good link on ICMP flooding?
>> > >
>> > > Thanks
>> > > nisha
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>>
>>
>> --
>> Thanks
>>
>> Mathew

> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Best regards,
 cadet                            mailto:cadet22@gmail.com

• Next message: Josef A: "Re: OSPF: distribute-list route-map"
• Previous message: cadet: "OSPF: distribute-list route-map"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART