Re: ICMP Flooding

From: Mathew (mathewfer@gmail.com)
Date: Mon Nov 27 2006 - 01:16:54 ART

• Next message: Mathew: "Re: ICMP Flooding"
• Previous message: Kal Han: "VPN between loopbacks - GRE"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Andrew,

Thank a lot.

It is a good doc to understand.

On 11/26/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
> Hi Mathew,
>
> As promised earlier, a five page ICMP flooding/SMURF technical note is
> posted on the NMC site for public access at:
>
> http://netmasterclass.com/site/articles/A%20Brief%20Description%20of%20an%20
> ICMP%20Flood%20Attack.pdf
>
> The technical note is 5 pages in length. It is pretty much a restatement of
> what I posted a few days ago on the subject. However, the posted technical
> note contains a diagram and a set of simple configurations as well as a few
> simple steps - such as how initiate a specially crafted ping and enable some
> debug tools - so that you can see an ICMP flood/SMURF attack in action.
>
> The test configuration only involves three routers. We used Dynamips to
> generate the tests.
>
> HTH,
>
> -Bruce Caslow CCIE #3139
> NetMasterClass, LLC
> www.netmasterclass.net
>
>
>
> > -----Original Message-----
> > From: Mathew [mailto:mathewfer@gmail.com]
> > Sent: Friday, November 24, 2006 1:00 AM
> > To: Andrew Bruce Caslow
> > Cc: nisha rani; Cisco certification
> > Subject: Re: ICMP Flooding
> >
> > Hi Andrew,
> >
> > Can you pls give us the link to this on your website?
> >
> >
> > On 11/22/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
> > > Hi Nisha,
> > >
> > > I am assuming that you are interested in reading about ICMP flooding to
> > > better understand a common Denial of Service attack. If this is the
> > case, we
> > > have a page in the NMC Technical Library on this topic. Later today, I
> > will
> > > make it publicly available to you so that you can read it. I will post
> > the
> > > link to the GroupStudy forum. However, for now, let me give you a brief
> > > explanation of one form of an ICMP flood. Specifically, it is an ICMP
> > > ECHO-REPLY flood attack and is usually called a "smurf" attack.
> > >
> > > A "smurf" attack has three basic components:
> > >
> > > 1). An attacking end station
> > > 2). A target interface to be "victimized"
> > > 3). An amplifying network
> > >
> > > Notice that the first two components are end devices - (1) is an end
> > station
> > > and (2) is an interface. However, component #3 is a "network". This is
> > very
> > > imporant to remember when attempting to understand an icmp flood "smurf"
> > > attack. Why is component #3 an "amplifying" network? I will explain
> > below.
> > >
> > > Now, how are these 3 components used to generate an icmp flood/smurf
> > attack.
> > >
> > >
> > > Here is a brief description:
> > >
> > > Let's set the stage:
> > >
> > > Let's say the attacking end station has locally assigned IP source
> > address
> > > of 100.1.1.1
> > >
> > > And let's say the target/victim interface has the locally assigned IP
> > > address of 13.13.13.13
> > >
> > > And finally, let's say the amplifying network has the prefix of
> > > 140.10.1.0/24 and it has 100 attached devices. Also, let's assume that
> > the
> > > router that attaches this amplifying network to the Internet accepts and
> > > forwards "directed-broadcasts", such as in this specific case
> > > "140.10.1.255".
> > >
> > > Now, let's put the icmp flood/"smurf" attack into play:
> > >
> > > STEP 1: The attacking end station initiates the following ping with the
> > > following carefully selected parameters:
> > >
> > > Ping
> > >
> > > Destination Address (Parameter #1): 140.10.1.255 (a directed broadcast
> > to
> > > the amplifying network)
> > >
> > > Source Address (Parameter #2): 13.13.13.13 (This no the source addr. Of
> > the
> > > attacking end station!! But the source addr of the target/victim
> > network)
> > >
> > > Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)
> > >
> > > It is important to note the the attacking end stations actual source
> > address
> > > (100.1.1.1) is in no way referenced in this ping. It remains stealthily
> > > anonymous during this smurf attack.
> > >
> > > When this ping is initiated, the directed broadcast ping is forwarded to
> > the
> > > amplifying network and all 100 end stations will respond to the directed
> > > broadcast PING/ICMP ECHO request (provided that they are not explicitly
> > > configured to ignore such ICMP ECHO requests). This will result in the
> > > generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your ICMP
> > > flood, or at least one form of it.
> > >
> > > All of these ICMP ECHO-REPLIES will be forwarded to the target/victim
> > > interface instead of the originating source end station (since the ping
> > was
> > > initiated with the source address of the target/victim interface). The
> > > intended result is to negatively impact the performance of the
> > target/victim
> > > interface - thus a "denial of service" state has been attained.
> > >
> > > The NMC Tech Lib page provides a diagram to this description. It is
> > easier
> > > to understand with a diagram. I hope this brief description was of some
> > > help.
> > >
> > > Overall, A good reference for securing networks is:
> > >
> > > http://www.cymru.com/Documents/secure-ios-template.html
> > >
> > > This is a link to Bob Thomas' secure IOS configuration template. In this
> > > template, he supplies lots of good recommended IOS commands to enter
> > into a
> > > Cisco router configuration along with a brief description of each
> > command.
> > >
> > > He supplies lots of other excellent router security related content on
> > this
> > > site. Perhaps, the most famous resource on this site is his bogon list
> > or
> > > list of "unallocated" IP prefixes. For more on bogons, see:
> > >
> > > http://www.cymru.com/Bogons/
> > >
> > > HTH,
> > >
> > > -Bruce Caslow CCIE #3139
> > > NetMastClass, LLC
> > > www.netmasterclass.net
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > > Of nisha rani
> > > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > > To: Cisco certification
> > > > Subject: ICMP Flooding
> > > >
> > > > Can someone provide me a good link on ICMP flooding?
> > > >
> > > > Thanks
> > > > nisha
> > > >
> > > > ______________________________________________________________________
> > > > _ Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > > nisha rani
> > > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > > To: Cisco certification
> > > > Subject: ICMP Flooding
> > > >
> > > > Can someone provide me a good link on ICMP flooding?
> > > >
> > > > Thanks
> > > > nisha
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> > --
> > Thanks
> >
> > Mathew
>
>

-- 
Thanks
Mathew

• Next message: Mathew: "Re: ICMP Flooding"
• Previous message: Kal Han: "VPN between loopbacks - GRE"
• Maybe in reply to: nisha rani: "ICMP Flooding"
• Next in thread: Mathew: "Re: ICMP Flooding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART