Re: Smurf Attack

From: Joseph Saad (joseph.samir.saad@gmail.com)
Date: Sat Sep 22 2007 - 23:42:55 ART

• Next message: Wilson, Ryan # Atlanta: "RE: General Redistribution Question"
• Previous message: Toh Soon, Lim: "Re: Issue with OSPF authentication using different MD5 keys"
• Maybe in reply to: Joe Carr (Enventis): "Smurf Attack"
• Next in thread: Herbert Maosa: "Re: Smurf Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Few approaches are:
in addition to preventing directed broadcast via
   no ip directed-broadcast
which is the default.

You can also perofrm an RPF-Multicast-like check that will allow you to
discard packets if its source address is NOT reachable via the router
interface on which it has been received, you can achieve this by.

ip verify unicast source reachable-via rx 1
access-list 1 permit a.b.c.d 0.0.0.255

Wendel Odom, Chapter 21, P. 772

Joseph.

On 9/23/07, Rich Collins <nilsi2002@gmail.com> wrote:
>
> I remember I looked into this a few months back and never found a
> satisfactory answer. I did find an approach to blocking a smurf attack
> for
> class C networks. I am not sure if this is just when the router is a
> "reflector" or whether a simple "no ip directed-broadcast" does the same
> thing. I'd also like to further comments about this topic.
>
> >> Extended IP access list SMURF
> >> 10 deny icmp any 0.0.0.255 255.255.255.0 echo log-input
> >> 20 deny icmp any 0.0.0.0 255.255.255.0 echo log-input
> >> 30 deny icmp any 0.0.0.255 255.255.255.0 echo-reply log-input
> >> 40 deny icmp any 0.0.0.0 255.255.255.0 echo-reply log-input
> >> 50 permit ip any any
>
> On 9/22/07, Joe Carr (Enventis) <jcarr@enventis.com> wrote:
> >
> > So if you are the victim of an attack then your only two options are to
> > deny ICMP with in inbound ACL or Rate Limit the inbound ICMP traffic?
> >
> > Joe
> >
> > -----Original Message-----
> > From: Joseph Brunner [mailto:joe@affirmedsystems.com]
> > Sent: Saturday, September 22, 2007 3:53 PM
> > To: Joe Carr (Enventis); ccielab@groupstudy.com
> > Subject: RE: Smurf Attack
> >
> > Why isn't the phrase "smurf attack" on the DAMN DOC CD! (at least that I
> > can
> > tell, anyone?)
> >
> > http://articles.techrepublic.com.com/5100-1035-5034101.html
> >
> > check this link...!!!
> >
> > -Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Joe
> > Carr (Enventis)
> > Sent: Saturday, September 22, 2007 4:50 PM
> > To: ccielab@groupstudy.com
> > Subject: Smurf Attack
> >
> > If I were asked to write and ACL to prevent Smurf attacks what would
> > that look like?
> >
> >
> >
> > Joe
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Wilson, Ryan # Atlanta: "RE: General Redistribution Question"
• Previous message: Toh Soon, Lim: "Re: Issue with OSPF authentication using different MD5 keys"
• Maybe in reply to: Joe Carr (Enventis): "Smurf Attack"
• Next in thread: Herbert Maosa: "Re: Smurf Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART