Re: Smurf Attack - Confusion

From: Rich Collins (nilsi2002@gmail.com)
Date: Mon Nov 05 2007 - 13:04:05 ART

• Next message: Joseph Brunner: "area 0 range & virtual links"
• Previous message: Sadiq Yakasai: "Re: Re¡G MAC access l"
• Maybe in reply to: Simon Grace: "Smurf Attack - Confusion"
• Next in thread: Tarun Pahuja: "Re: Smurf Attack - Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It is my understanding that the smurf attack sends a directed broadcast
(icmp echo) with a spoofed source address. That spoofed address does not
have to be on the first router but could be an address in the ultimate
target network if the first router is the "amplifier".

So most examples that I have seen in workbooks show a generic access list
and usually include both echo and echo-reply. I would also say that
echo-reply is more important to limit than echo but the more correct answer
seems to include both.

-Rich

On 11/5/07, Simon Grace <SimonG@pcsystems.gr> wrote:
>
> Hi Guys,
>
>
>
> If possible I'd like to hear you views on the following.
>
>
>
> I've read various documents on the web about smurf attacks and have
> managed to get myself in quite a confusion.
>
>
>
> My understanding is an attacker sends an echo request with a spoofed
> source address which is the broadcast address of a network on the
> receiving router.
>
>
>
> This router will then do an echo-reply to the broadcast address, which I
> understand all cpu's of active hosts on the network will have to
> process.
>
>
>
> Am I correct so far?
>
>
>
> Now, firstly, if the attacked just sent one or two such packets there
> shouldn't be too much of a problem, the problem lies in that if the
> router keeps receiving these spoofed packets it will keep sending out
> echo-replies to all the hosts on it's connected network. ??
>
>
>
> Now my question moves to CAR to combat this problem:
>
>
>
> We have:
>
>
>
> Attack Router ------ s1/0 R1 fa0/1 ------ 10.10.10.0/24
>
>
>
> The attacker will send spoofed echo requests with a source of
> 10.10.10.255. R1 will carry out a echo-reply to 10.10.10.255, which will
> mean all active hosts will receive and have to process this echo-reply
> from R1 (sub question, will they do anything other than accept the
> echo-reply packet?)
>
>
>
> Now in my work book they have the following:
>
>
>
> Access-list 101 permit icmp any any echo-reply
>
>
>
> Interface ......
>
> Rate-limit input access-group 101 64000 8000 12000 conf trans exceed
> drop.
>
>
>
> Firstly, in my case above the rate-limit would be configured on fa0/1 of
> R1 correct?
>
>
>
> Secondly is the ACL acceptable, would it no be better to have?:
>
>
>
> access-list 101 permit icmp any host 10.10.10.255 echo-reply
>
>
>
> Or would the proctors be happy to restrict all the icmp echo-reply no
> matter what source destinations. (Whether we are ever able to answer
> these questions I don't know)
>
>
>
> I realise this is a bit of a long winded question so I appreciate any
> input you may be able to offer.
>
>
>
>
> Thanks,
>
> Simon.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joseph Brunner: "area 0 range & virtual links"
• Previous message: Sadiq Yakasai: "Re: Re¡G MAC access l"
• Maybe in reply to: Simon Grace: "Smurf Attack - Confusion"
• Next in thread: Tarun Pahuja: "Re: Smurf Attack - Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART