RE: SMURF Attack - tracking down the source

From: Scott Morris (swm@emanon.com)
Date: Fri Dec 01 2006 - 10:47:10 ART

• Next message: Ivan: "Re: EIGRP Variance ?"
• Previous message: Ali Sheeraz Mehdi: "EIGRP Variance ?"
• Maybe in reply to: Udo: "SMURF Attack - tracking down the source"
• Next in thread: sabrina pittarel: "Re: SMURF Attack - tracking down the source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Childhood phobias gone bad.... You know WAY too much about these little
guys. :)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Brad
Ellis
Sent: Friday, December 01, 2006 2:34 AM
To: Udo
Cc: Cisco certification
Subject: Re: SMURF Attack - tracking down the source

There are several typical situations in which smurf attacks occur:

case 1) Papa Smurf gets pissed at his fellow smurfs and goes "postal." This
happens when Papa Smurf stops taking his medications and his dual
personality comes out. It's not pretty.

case 2) Multiple smurfs are making passes at Smurfette. In this situation
the smurfs tend to attack each other in an effort to get Smurfette's
affection. They update their my-smurf-space pages, send her gifts (play
smurfstation 3s), etc.

case 3) Gargamel and Azrael tend to hunt down smurfs and do nasty things to
them (we've heard rumors that they are substitutes for hamsters...but we
won't go there). The smurfs don't take too kindly to this and tend to
launch a counter-attack.

To get to the source of the smurf attack, a consult with Papa Smurf should
help...but in the networking world, since the source address of smurf
attacks are spoofed, it can be difficult to determine the actual source of
the attack. Papa Smurf recommends "no ip directed-broadcast " as a great
solution for this...Gargamel prefers just blocking ICMP all together. The
choice is yours. :)

(I prefer to put on a nice pair of steel toe boots and crush the little
fa-la-lalala buggers)

thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI#30482
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
mailto:brad@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
----- Original Message -----
From: "Udo" <ccie_groupstudy@yahoo.de>
To: "CCIE Groupstudy" <ccielab@groupstudy.com>
Sent: Friday, December 01, 2006 5:32 AM
Subject: SMURF Attack - tracking down the source

Hi Group,

If I want to track back to the source of a SMURF attack, what is the
best solution ?
Also what are the recommended features for tracking back to the source
of an attack...

THX
Udo

• Next message: Ivan: "Re: EIGRP Variance ?"
• Previous message: Ali Sheeraz Mehdi: "EIGRP Variance ?"
• Maybe in reply to: Udo: "SMURF Attack - tracking down the source"
• Next in thread: sabrina pittarel: "Re: SMURF Attack - tracking down the source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART