Re: RE: Security portion in CCIE R & S

From: johngibson1541@yahoo.com
Date: Fri Feb 09 2007 - 09:43:05 ART

• Next message: Stefan Grey: "Re: DHCP question"
• Previous message: nisha rani: "Re: OSPF configuration explanation Lookpback 0"
• Next in thread: johngibson1541@yahoo.com: "Re: Re: RE: Security portion in CCIE R & S"
• Maybe reply: johngibson1541@yahoo.com: "Re: Re: RE: Security portion in CCIE R & S"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I see how it works now after reading the SNRS book.

The book also mentions that no ip directed-broadcast will stop forwarding
such packet as destined too 150.15.1.255 .

But the book points out that any IOS later than 12.0 disables ip directed-broadcast by default.

Unless the lab adds ip directed-broadcast to interfaces on purpose, they
can't test us about this topic. Who knows what the exam pre-conf will do.

So, if I make the exam, I will pre-config interfaces with ip directed-broadcast
, then I will make a task that requires directed-broadcast, e.g. multicast
helper. Then I will require not to remove ip directed-broadcast.

This way the only cure left is the ip verify source thing.

But I will have to study mulicast helper now. That is on the Gorito book.

Guess this must have been a hot topic in CCIE lab before 12.0 was out.

Historical. But still making me study.

John

<Below is Original Message>

A smurf attack is very simple, yet quite devious.

Keep in mind that typically, packets are forwarded based only on the
destination address.

So, imagine a packet with this destination address: 150.15.1.255

If directed broadcasts are supported, this packet will go to each host in
the 150.15.1.0 network.

Now, let's assume the packet being sent is an icmp echo request. When each
packet in the dest network receives the packet, what will they do?

They will respond with a echo reply which they will send to the source
address that was in the echo request packet they just received.

Now, here's the kicker:

Suppose the source address in the packet was a spoofed address?

Now, each host that got the echo request packet will send an echo reply to a
spoofed address and the real owner of that spoofed address becomes the
victim.

So, as a result of a smurf attack, the victim can literally get millions of
packets and be overwhelmed; making the smurf attack a type of DOS attack.

They are lots of variations of the smurf attack but they can be easily
defeated with a couple techniques.

First, don't allowed directed broadcasts on your network.

2nd, implement ip verify which protects against lots of packets with spoofed
addresses.

HTH, Tim

• Next message: Stefan Grey: "Re: DHCP question"
• Previous message: nisha rani: "Re: OSPF configuration explanation Lookpback 0"
• Next in thread: johngibson1541@yahoo.com: "Re: Re: RE: Security portion in CCIE R & S"
• Maybe reply: johngibson1541@yahoo.com: "Re: Re: RE: Security portion in CCIE R & S"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART