Re: Smurf Attack Acl

From: SCD (scdman@gmail.com)
Date: Sat Jul 28 2007 - 08:59:15 ART

• Next message: John Jones: "Re: Time of Convergence? for Rita Puzmanova"
• Previous message: nagendra kumar: "RE: Frame-relay subinterface with same subnet"
• Maybe in reply to: Ramya S: "Smurf Attack Acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Smurf Attack has two victims: "Reflector" and "Ultimate Target". echo-reply
filtering is required to protect against being ultimate target.

echo filtering is required if you dont want to be a "reflector" for smurf
attack against ultimate target. echo filtering to prevent being "reflector"
for smurf attack, can also be achieved by using "*no ip directed-broadcast*"
in all the interfaces within your network. Please note this command is
default in Cisco IOS Software Release 12.0 and later.

Based on your organizational requirement, whether you need to allow icmp
echo-requests to be permitted from Internet into your network you can safely
restrict icmp echo as well. Please note, financial services organization are
those which use ip directed broadcast for certain applications.

Also you might be aware that implementing of rate-filtering in your router
will just protect your network and not your ISP Link. If you want protect
your ISP link then you must be working along with your ISP to implement the
filtering.

More details on various flood attach can be found here @
Cisco<http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml>
.

Regards
SCD

On 7/28/07, Ramya S <ramya_1975@hotmail.com> wrote:
>
> Hi Group,
>
> I would like to mitigate smurf attack by implementing policing or the
> legacy
> rate limiting-car.
> Is the following access-list correct?
>
> access-list 111 permit icmp any any echo-reply
> access-list 111 permit icmp any any echo
> access-list 111 permit udp any any eq echo
> access-list 111 permit udp any eq echo any
>
> Then i will call the above access list in the class map or in the
> rate-limit
> statement.
> additionally is this needed -- "access-list 111 permit icmp any any echo"
>
> Thanks,
> Ramya Sen.
>
>
> _________________________________________________________________
> Want to look great? Get expert opinion on beauty and skin care.
> http://content.msn.co.in/Lifestyle/AskExpert/Default01.htm
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John Jones: "Re: Time of Convergence? for Rita Puzmanova"
• Previous message: nagendra kumar: "RE: Frame-relay subinterface with same subnet"
• Maybe in reply to: Ramya S: "Smurf Attack Acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:42 ART