From: Andrew Bruce Caslow (abcaslow@netmasterclass.net)
Date: Tue Nov 28 2006 - 16:59:18 ART
Hi Mathew,
I am glad you found the following document on ICMP flooding useful:
http://netmasterclass.com/site/articles/A%20Brief%20Description%20of%20an%20
ICMP%20Flood%20Attack.pdf
I also like how you have began a list of some of the ways you can reduce the
impact or likelihood of an ICMP flood. At NMC, we like to call this learning
approach the "Know Thy Options" learning approach to CCIE preparation.
To obtain a good list of the methods to reduce the impact or likelihood of
an ICMP flood, I suggest you purchase the following Cisco Press book:
Cisco Router Firewall Security by Richard Deal (Cisco Press)
The book is packed with lots of excellent information on many of the
different ways to mitigate an ICMP flood attack. It also contains an
excellent presentation on all of the router based ACL's, using the MQC for
security purposes and excellent coverage of NAT and SNAT.
The one unfortunate aspect of the book is its title, "Cisco Router FIREWALL
Security". It is very unfortunate that the word "Firewall" is in the title.
The book has nothing to do with formal "firewall" devices like the PIX. It
has everything to do with deploying network security measures on a Cisco
router. In my opinion, this is a "must purchase book" for R&S CCIE
preparation.
When we get more time, we will add mitigation techniques to the ICMP
Flood/SMURF Attack paper referenced above. Currently at NMC, we are hard at
work rolling out an IPv6 Class-on-Demand module. We like to talk about
"on-going synchronized assessment" at NMC. With many of these
Class-on-Demand modules that we are developing, we are also performing
"ongoing synchronized content-development". It is really a very interesting
process. For example, we have 5 CCIE's working on this IPv6 Class-on-Demand
module. All of the content is being fed into the NMC web-based
infrastructure. From there, it is forwarded to "the voice of the NMC IPv6
CoD" - Mr. Anthony Sequieria. So if you have any IPv6 questions, please let
us know.
In fact, we are planning to provide some free IPv6 content to the GS
community in the near future.
HTH,
-Bruce Caslow CCIE #3139
NetMasterClass, LLC
www.netmasterclass.net
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Mathew
> Sent: Sunday, November 26, 2006 11:29 PM
> To: Andrew Bruce Caslow
> Cc: Cisco certification
> Subject: Re: ICMP Flooding
>
> Hi Andrew,
>
> While thanking again for this valuable, easy to understand document,
> can we now ask you to suggest ways of reducing this?
>
> I am think of the below;
>
> 1. Unicast Reverse Path Forwarding (Unicast RPF) feature on all the
> inbound interfaces
> 2. Rate-limit ICMP (all the types) to a lower BW on all inbound
> interfaces so that normal network monitoring works.
>
> I am wondering we have any other options to reduce this effects in
> networks.
>
> Thank you in advance for your replies.
>
> On 11/26/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
> > Hi Mathew,
> >
> > As promised earlier, a five page ICMP flooding/SMURF technical note is
> > posted on the NMC site for public access at:
> >
> >
> http://netmasterclass.com/site/articles/A%20Brief%20Description%20of%20an%
> 20
> > ICMP%20Flood%20Attack.pdf
> >
> > The technical note is 5 pages in length. It is pretty much a restatement
> of
> > what I posted a few days ago on the subject. However, the posted
> technical
> > note contains a diagram and a set of simple configurations as well as a
> few
> > simple steps - such as how initiate a specially crafted ping and enable
> some
> > debug tools - so that you can see an ICMP flood/SMURF attack in action.
> >
> > The test configuration only involves three routers. We used Dynamips to
> > generate the tests.
> >
> > HTH,
> >
> > -Bruce Caslow CCIE #3139
> > NetMasterClass, LLC
> > www.netmasterclass.net
> >
> >
> >
> > > -----Original Message-----
> > > From: Mathew [mailto:mathewfer@gmail.com]
> > > Sent: Friday, November 24, 2006 1:00 AM
> > > To: Andrew Bruce Caslow
> > > Cc: nisha rani; Cisco certification
> > > Subject: Re: ICMP Flooding
> > >
> > > Hi Andrew,
> > >
> > > Can you pls give us the link to this on your website?
> > >
> > >
> > > On 11/22/06, Andrew Bruce Caslow <abcaslow@netmasterclass.net> wrote:
> > > > Hi Nisha,
> > > >
> > > > I am assuming that you are interested in reading about ICMP flooding
> to
> > > > better understand a common Denial of Service attack. If this is the
> > > case, we
> > > > have a page in the NMC Technical Library on this topic. Later today,
> I
> > > will
> > > > make it publicly available to you so that you can read it. I will
> post
> > > the
> > > > link to the GroupStudy forum. However, for now, let me give you a
> brief
> > > > explanation of one form of an ICMP flood. Specifically, it is an
> ICMP
> > > > ECHO-REPLY flood attack and is usually called a "smurf" attack.
> > > >
> > > > A "smurf" attack has three basic components:
> > > >
> > > > 1). An attacking end station
> > > > 2). A target interface to be "victimized"
> > > > 3). An amplifying network
> > > >
> > > > Notice that the first two components are end devices - (1) is an end
> > > station
> > > > and (2) is an interface. However, component #3 is a "network". This
> is
> > > very
> > > > imporant to remember when attempting to understand an icmp flood
> "smurf"
> > > > attack. Why is component #3 an "amplifying" network? I will explain
> > > below.
> > > >
> > > > Now, how are these 3 components used to generate an icmp flood/smurf
> > > attack.
> > > >
> > > >
> > > > Here is a brief description:
> > > >
> > > > Let's set the stage:
> > > >
> > > > Let's say the attacking end station has locally assigned IP source
> > > address
> > > > of 100.1.1.1
> > > >
> > > > And let's say the target/victim interface has the locally assigned
> IP
> > > > address of 13.13.13.13
> > > >
> > > > And finally, let's say the amplifying network has the prefix of
> > > > 140.10.1.0/24 and it has 100 attached devices. Also, let's assume
> that
> > > the
> > > > router that attaches this amplifying network to the Internet accepts
> and
> > > > forwards "directed-broadcasts", such as in this specific case
> > > > "140.10.1.255".
> > > >
> > > > Now, let's put the icmp flood/"smurf" attack into play:
> > > >
> > > > STEP 1: The attacking end station initiates the following ping with
> the
> > > > following carefully selected parameters:
> > > >
> > > > Ping
> > > >
> > > > Destination Address (Parameter #1): 140.10.1.255 (a directed
> broadcast
> > > to
> > > > the amplifying network)
> > > >
> > > > Source Address (Parameter #2): 13.13.13.13 (This no the source
> addr. Of
> > > the
> > > > attacking end station!! But the source addr of the target/victim
> > > network)
> > > >
> > > > Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)
> > > >
> > > > It is important to note the the attacking end stations actual source
> > > address
> > > > (100.1.1.1) is in no way referenced in this ping. It remains
> stealthily
> > > > anonymous during this smurf attack.
> > > >
> > > > When this ping is initiated, the directed broadcast ping is
> forwarded to
> > > the
> > > > amplifying network and all 100 end stations will respond to the
> directed
> > > > broadcast PING/ICMP ECHO request (provided that they are not
> explicitly
> > > > configured to ignore such ICMP ECHO requests). This will result in
> the
> > > > generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your
> ICMP
> > > > flood, or at least one form of it.
> > > >
> > > > All of these ICMP ECHO-REPLIES will be forwarded to the
> target/victim
> > > > interface instead of the originating source end station (since the
> ping
> > > was
> > > > initiated with the source address of the target/victim interface).
> The
> > > > intended result is to negatively impact the performance of the
> > > target/victim
> > > > interface - thus a "denial of service" state has been attained.
> > > >
> > > > The NMC Tech Lib page provides a diagram to this description. It is
> > > easier
> > > > to understand with a diagram. I hope this brief description was of
> some
> > > > help.
> > > >
> > > > Overall, A good reference for securing networks is:
> > > >
> > > > http://www.cymru.com/Documents/secure-ios-template.html
> > > >
> > > > This is a link to Bob Thomas' secure IOS configuration template. In
> this
> > > > template, he supplies lots of good recommended IOS commands to enter
> > > into a
> > > > Cisco router configuration along with a brief description of each
> > > command.
> > > >
> > > > He supplies lots of other excellent router security related content
> on
> > > this
> > > > site. Perhaps, the most famous resource on this site is his bogon
> list
> > > or
> > > > list of "unallocated" IP prefixes. For more on bogons, see:
> > > >
> > > > http://www.cymru.com/Bogons/
> > > >
> > > > HTH,
> > > >
> > > > -Bruce Caslow CCIE #3139
> > > > NetMastClass, LLC
> > > > www.netmasterclass.net
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > > > Of nisha rani
> > > > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > > > To: Cisco certification
> > > > > Subject: ICMP Flooding
> > > > >
> > > > > Can someone provide me a good link on ICMP flooding?
> > > > >
> > > > > Thanks
> > > > > nisha
> > > > >
> > > > >
> ______________________________________________________________________
> > > > > _ Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > > nisha rani
> > > > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > > > To: Cisco certification
> > > > > Subject: ICMP Flooding
> > > > >
> > > > > Can someone provide me a good link on ICMP flooding?
> > > > >
> > > > > Thanks
> > > > > nisha
> > > > >
> > > > >
> > >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > > --
> > > Thanks
> > >
> > > Mathew
> >
> >
>
>
> --
> Thanks
>
> Mathew
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:49 ART