From: Simon Grace (SimonG@pcsystems.gr)
Date: Mon Nov 05 2007 - 05:54:26 ART
Hi Guys,
If possible I'd like to hear you views on the following.
I've read various documents on the web about smurf attacks and have
managed to get myself in quite a confusion.
My understanding is an attacker sends an echo request with a spoofed
source address which is the broadcast address of a network on the
receiving router.
This router will then do an echo-reply to the broadcast address, which I
understand all cpu's of active hosts on the network will have to
process.
Am I correct so far?
Now, firstly, if the attacked just sent one or two such packets there
shouldn't be too much of a problem, the problem lies in that if the
router keeps receiving these spoofed packets it will keep sending out
echo-replies to all the hosts on it's connected network. ??
Now my question moves to CAR to combat this problem:
We have:
Attack Router ------ s1/0 R1 fa0/1 ------ 10.10.10.0/24
The attacker will send spoofed echo requests with a source of
10.10.10.255. R1 will carry out a echo-reply to 10.10.10.255, which will
mean all active hosts will receive and have to process this echo-reply
from R1 (sub question, will they do anything other than accept the
echo-reply packet?)
Now in my work book they have the following:
Access-list 101 permit icmp any any echo-reply
Interface ......
Rate-limit input access-group 101 64000 8000 12000 conf trans exceed
drop.
Firstly, in my case above the rate-limit would be configured on fa0/1 of
R1 correct?
Secondly is the ACL acceptable, would it no be better to have?:
access-list 101 permit icmp any host 10.10.10.255 echo-reply
Or would the proctors be happy to restrict all the icmp echo-reply no
matter what source destinations. (Whether we are ever able to answer
these questions I don't know)
I realise this is a bit of a long winded question so I appreciate any
input you may be able to offer.
Thanks,
Simon.
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART