From: Simon Grace (SimonG@pcsystems.gr)
Date: Mon Nov 05 2007 - 14:27:58 ART
That helped a lot, thank you.
Thanks to all the other replies too.
________________________________
From: Tarun Pahuja [mailto:pahujat@gmail.com]
Sent: Monday, November 05, 2007 6:50 PM
To: Rich Collins
Cc: Simon Grace; ccielab@groupstudy.com
Subject: Re: Smurf Attack - Confusion
Simon,
In Smurf attack the attacker uses reflectors to attack the
ultimate target. Basically, he will use ICMP to ping the entire subnet
using subnet broadcast address with a source address of the ultimate
target, all the hosts in the subnet would respond to the ICMP messages
with ICMP echo-rely directed to the ultimate target which could
potentially bring it down.
You can indeed use CAR to Prevent Smurf attacks.
http://www.cisco.com/warp/public/707/22.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_not
e09186a00800fb50a.shtml#rate_limit_icmp
HTH,
Tarun
On 11/5/07, Rich Collins <nilsi2002@gmail.com> wrote:
It is my understanding that the smurf attack sends a directed broadcast
(icmp echo) with a spoofed source address. That spoofed address does
not
have to be on the first router but could be an address in the ultimate
target network if the first router is the "amplifier".
So most examples that I have seen in workbooks show a generic access
list
and usually include both echo and echo-reply. I would also say that
echo-reply is more important to limit than echo but the more correct
answer
seems to include both.
-Rich
On 11/5/07, Simon Grace < SimonG@pcsystems.gr> wrote:
>
> Hi Guys,
>
>
>
> If possible I'd like to hear you views on the following.
>
>
>
> I've read various documents on the web about smurf attacks and have
> managed to get myself in quite a confusion.
>
>
>
> My understanding is an attacker sends an echo request with a spoofed
> source address which is the broadcast address of a network on the
> receiving router.
>
>
>
> This router will then do an echo-reply to the broadcast address, which
I
> understand all cpu's of active hosts on the network will have to
> process.
>
>
>
> Am I correct so far?
>
>
>
> Now, firstly, if the attacked just sent one or two such packets there
> shouldn't be too much of a problem, the problem lies in that if the
> router keeps receiving these spoofed packets it will keep sending out
> echo-replies to all the hosts on it's connected network. ??
>
>
>
> Now my question moves to CAR to combat this problem:
>
>
>
> We have:
>
>
>
> Attack Router ------ s1/0 R1 fa0/1 ------ 10.10.10.0/24
>
>
>
> The attacker will send spoofed echo requests with a source of
> 10.10.10.255. R1 will carry out a echo-reply to 10.10.10.255, which
will
> mean all active hosts will receive and have to process this echo-reply
> from R1 (sub question, will they do anything other than accept the
> echo-reply packet?)
>
>
>
> Now in my work book they have the following:
>
>
>
> Access-list 101 permit icmp any any echo-reply
>
>
>
> Interface ......
>
> Rate-limit input access-group 101 64000 8000 12000 conf trans exceed
> drop.
>
>
>
> Firstly, in my case above the rate-limit would be configured on fa0/1
of
> R1 correct?
>
>
>
> Secondly is the ACL acceptable, would it no be better to have?:
>
>
>
> access-list 101 permit icmp any host 10.10.10.255 echo-reply
>
>
>
> Or would the proctors be happy to restrict all the icmp echo-reply no
> matter what source destinations. (Whether we are ever able to answer
> these questions I don't know)
>
>
>
> I realise this is a bit of a long winded question so I appreciate any
> input you may be able to offer.
>
>
>
>
> Thanks,
>
> Simon.
>
>
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART