From: Tarun Pahuja (pahujat@gmail.com)
Date: Mon Nov 05 2007 - 13:50:27 ART
Simon,
In Smurf attack the attacker uses reflectors to attack the
ultimate target. Basically, he will use ICMP to ping the entire subnet using
subnet broadcast address with a source address of the ultimate target, all
the hosts in the subnet would respond to the ICMP messages with ICMP
echo-rely directed to the ultimate target which could potentially bring it
down.
You can indeed use CAR to Prevent Smurf attacks.
http://www.cisco.com/warp/public/707/22.html
On 11/5/07, Rich Collins <nilsi2002@gmail.com> wrote:
>
> It is my understanding that the smurf attack sends a directed broadcast
> (icmp echo) with a spoofed source address. That spoofed address does not
> have to be on the first router but could be an address in the ultimate
> target network if the first router is the "amplifier".
>
> So most examples that I have seen in workbooks show a generic access list
> and usually include both echo and echo-reply. I would also say that
> echo-reply is more important to limit than echo but the more correct
> answer
> seems to include both.
>
> -Rich
>
> On 11/5/07, Simon Grace <SimonG@pcsystems.gr> wrote:
> >
> > Hi Guys,
> >
> >
> >
> > If possible I'd like to hear you views on the following.
> >
> >
> >
> > I've read various documents on the web about smurf attacks and have
> > managed to get myself in quite a confusion.
> >
> >
> >
> > My understanding is an attacker sends an echo request with a spoofed
> > source address which is the broadcast address of a network on the
> > receiving router.
> >
> >
> >
> > This router will then do an echo-reply to the broadcast address, which I
> > understand all cpu's of active hosts on the network will have to
> > process.
> >
> >
> >
> > Am I correct so far?
> >
> >
> >
> > Now, firstly, if the attacked just sent one or two such packets there
> > shouldn't be too much of a problem, the problem lies in that if the
> > router keeps receiving these spoofed packets it will keep sending out
> > echo-replies to all the hosts on it's connected network. ??
> >
> >
> >
> > Now my question moves to CAR to combat this problem:
> >
> >
> >
> > We have:
> >
> >
> >
> > Attack Router ------ s1/0 R1 fa0/1 ------ 10.10.10.0/24
> >
> >
> >
> > The attacker will send spoofed echo requests with a source of
> > 10.10.10.255. R1 will carry out a echo-reply to 10.10.10.255, which will
> > mean all active hosts will receive and have to process this echo-reply
> > from R1 (sub question, will they do anything other than accept the
> > echo-reply packet?)
> >
> >
> >
> > Now in my work book they have the following:
> >
> >
> >
> > Access-list 101 permit icmp any any echo-reply
> >
> >
> >
> > Interface ......
> >
> > Rate-limit input access-group 101 64000 8000 12000 conf trans exceed
> > drop.
> >
> >
> >
> > Firstly, in my case above the rate-limit would be configured on fa0/1 of
> > R1 correct?
> >
> >
> >
> > Secondly is the ACL acceptable, would it no be better to have?:
> >
> >
> >
> > access-list 101 permit icmp any host 10.10.10.255 echo-reply
> >
> >
> >
> > Or would the proctors be happy to restrict all the icmp echo-reply no
> > matter what source destinations. (Whether we are ever able to answer
> > these questions I don't know)
> >
> >
> >
> > I realise this is a bit of a long winded question so I appreciate any
> > input you may be able to offer.
> >
> >
> >
> >
> > Thanks,
> >
> > Simon.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART