From: Joseph Brunner (joe@affirmedsystems.com)
Date: Sun Sep 23 2007 - 17:45:20 ART
You need to look at the smurf attack at both places;
Intermediary, who amplifies the attack, gets the broadcast pings
The final target, who gets the icmp echo-replies because this ip was spoofed
to the intermediary by the attacker...
The intermediary's whole subnet of devices replies to each echo reply...
The beauty of a smurf attack is a single inbound echo can create hundreds or
thousands of echo-replies as EVERY HOST ON THE BROADCAST replies to the
victim.
Really slick attack, Who gets used as an "intermediary" is an idiot, leaving
the broadcast address reachable from the internet, and then allowing echo on
top of that...
;)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Rich
Collins
Sent: Sunday, September 23, 2007 4:18 PM
To: Herbert Maosa
Cc: Joe Carr (Enventis); ccielab@groupstudy.com
Subject: Re: Smurf Attack
I guess I still can't remember what the scenario would be to block the C
class broadcast and network addresses in relation to SMURF. Does anyone
know where that might come into play? So smurf doesn't automatically imply
pings to the broadcast (or network) address?
On 9/23/07, Herbert Maosa <asawilunda@googlemail.com> wrote:
>
> The best documentation I have found from the Cisco on the subject is
> here<http://www.cisco.com/warp/public/707/22.html>
>
>
> Herbert.
>
>
>
>
>
> On 9/22/07, Joe Carr (Enventis) <jcarr@enventis.com> wrote:
> >
> > So if you are the victim of an attack then your only two options are to
> > deny ICMP with in inbound ACL or Rate Limit the inbound ICMP traffic?
> >
> > Joe
> >
> > -----Original Message-----
> > From: Joseph Brunner [mailto:joe@affirmedsystems.com]
> > Sent: Saturday, September 22, 2007 3:53 PM
> > To: Joe Carr (Enventis); ccielab@groupstudy.com
> > Subject: RE: Smurf Attack
> >
> > Why isn't the phrase "smurf attack" on the DAMN DOC CD! (at least that I
> > can
> > tell, anyone?)
> >
> > http://articles.techrepublic.com.com/5100-1035-5034101.html
> >
> > check this link...!!!
> >
> > -Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Joe
> > Carr (Enventis)
> > Sent: Saturday, September 22, 2007 4:50 PM
> > To: ccielab@groupstudy.com
> > Subject: Smurf Attack
> >
> > If I were asked to write and ACL to prevent Smurf attacks what would
> > that look like?
> >
> >
> >
> > Joe
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Kindest regards,
> hm
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART