Re: Access-list for Smurf Attack : Which one is to be used in

From: C D (scdman@gmail.com)
Date: Sun Feb 24 2008 - 12:46:52 ARST

• Next message: Bruce Porcelli: "Re: BGP Update-Source Question"
• Previous message: Roberto Clavero Montano: "LAB keyboard layout at brussels"
• Next in thread: Shawn Zandi: "Re: Access-list for Smurf Attack : Which one is to be used in"
• Maybe reply: Shawn Zandi: "Re: Access-list for Smurf Attack : Which one is to be used in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Normally smurf attack, is sending an ICMP packet to a destination address
which is either network(or subnet) address or broadcast address so that the
all the hosts in those network respond with ICMP reply.

Assuming the above condition, 0.0.0.255 255.255.255.0, will match for all
the broadcast address, i.e., X.X.X.255 ( as destination).eg., 112.10.10.255,
150.30.30.255, 200.200.200.255

Similarly, 0.0.0.0 255.255.255.0 would mean all the network address i.e.,
X.X.X.0.

The above solution assumes that most of the address in the internet are
advertised with /24 subnet mask, although they can be from any Class
(A/B/C). Its very rare for any host in internet to have an IP address with
last octet as 0, I mean 50.168.20.0 (Although I received that IP once from
my ISP for my DSL connection).

To keep simpler, as smurf attack will be addressed to either broadcast or
network address of a specific subnet to keep the impact high, I thought of
using the access-list 111.

Anyway thanks Jared, for your suggestion.

Regards
SCD

On Sun, Feb 24, 2008 at 8:26 AM, zahid mohammad <dubaiimmigration@gmail.com>
wrote:

> Can you explain me how did you think about destination address in
> access-list 111?
>
>
> On 2/22/08, C D <scdman@gmail.com> wrote:
> >
> > Hi Group,
> >
> > Here are the 2 access-list we can use for preventing DoS for Smurf
> > attack,
> > do you have any suggestion on whether to use the access-list 111 or 169
> > in
> > the exam.
> >
> > access-list 111 permit icmp any 0.0.0.255 255.255.255.0 echo
> > access-list 111 permit icmp any 0.0.0.0 255.255.255.0 echo
> > access-list 111 permit icmp any 0.0.0.255 255.255.255.0 echo-reply
> > access-list 111 permit icmp any 0.0.0.0 255.255.255.0 echo-reply
> > access-list 111 permit udp any 0.0.0.255 255.255.255.0 eq echo
> > access-list 111 permit udp any 0.0.0.0 255.255.255.0 eq echo
> > access-list 111 permit udp any eq echo 0.0.0.255 255.255.255.0
> > access-list 111 permit udp any eq echo 0.0.0.0 255.255.255.0
> >
> >
> > access-list 169 permit icmp any any echo
> > access-list 169 permit icmp any any echo-reply
> > access-list 169 permit udp any any eq echo
> > access-list 169 permit udp any eq echo any
> >
> > Thanks and Regards
> > SCD

• Next message: Bruce Porcelli: "Re: BGP Update-Source Question"
• Previous message: Roberto Clavero Montano: "LAB keyboard layout at brussels"
• Next in thread: Shawn Zandi: "Re: Access-list for Smurf Attack : Which one is to be used in"
• Maybe reply: Shawn Zandi: "Re: Access-list for Smurf Attack : Which one is to be used in"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:49 ARST