.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "Hand Job, Blow Job, Job Search, Monster Job"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
ICMP Flooding vs SMURF Attack
Is it possible to have a udp with source echo, sourced from the network ( x.x.x.0) or broadcast (x.x.x.255)? The source udp echo is probably from the reflector, so it’s replied to the destination network or broadcast I would presume.
Then I would say for the udp streams it’s:
deny udp any 0.0.0.255 255.255.255.0 eq echo deny udp any 0.0.0.0 255.255.255.0 eq echo deny udp any eq echo 0.0.0.255 255.255.255.0 deny udp any eq echo 0.0.0.0 255.255.255.0
gr
On 8/20/06, Aamir Aziz wrote: > > Yes i agree with you that the UDP source is missing here, but the > question is what is most suitable or lets say what is required in the lab, > how about if we go for something like this: > > deny icmp any 0.0.0.255 255.255.255.0 echo > deny icmp any 0.0.0.0 255.255.255.0 echo > deny icmp any 0.0.0.255 255.255.255.0 echo-reply > deny icmp any 0.0.0.0 255.255.255.0 echo-reply > deny udp any 0.0.0.255 255.255.255.0 eq echo > deny udp 0.0.0.255 255.255.255.0 eq echo any > deny udp any 0.0.0.0 255.255.255.0 eq echo > deny udp 0.0.0.0 255.255.255.0 eq echo any > permit ip any any > > this one makes any sense? > > Thanks > Aamir > > > > > > > On 8/20/06, Peter Plak wrote: > > > > Hi Aziz, > > > > I have also spent lot of time to this task. I found a link which enters > > the explanation of smurf / fragle and protection best so far. > > http://www.windowsecurity.com/whitepaper/Characterizing_and_Tracing_Packet_Floods_Using_Cisco_Routers.html > > > > > > > > If I look at your list, I would say, almost there. What in my opinion > > misses is the udp source eq echo. > > I would replace the udp lines with any any. Cause udp echo is rarely > > used nowadays, it’s likely that you will have many hits compared to icmp. > > > > So, I think the list totally will be then: > > deny icmp any 0.0.0.255 255.255.255.0 echo > > deny icmp any 0.0.0.0 255.255.255.0 echo > > deny icmp any 0.0.0.255 255.255.255.0 echo-reply > > deny icmp any 0.0.0.0 255.255.255.0 echo-reply > > deny upd any any eq echo > > deny upd any eq echo any > > permit ip any any > > > > What you think? > > > > > > On 8/20/06, Aamir Aziz wrote: > > > > > Hi there ppl > > > > I just wanted to clear something, if the tast says that certain router > > is > > experiencing attack via ICMP and UDP flooding does it mean SMURF ATTACK? > > > > and would the following ACL work to mitigate this flooding issue? > > > > deny icmp any 0.0.0.255 255.255.255.0 echo > > deny icmp any 0.0.0.0 255.255.255.0 echo > > deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any 0.0.0.0 > > 255.255.255.0 echo-reply > > deny upd any 0.0.0.255 255.255.255.0 echo > > deny upd any 0.0.0.0 255.255.255.0 echo > > permit ip any any > > > > Thanks > > Aamir > > > > _______________________________________________________________________ > > Subscription information may be found at: > > http://www.groupstudy.com/list/CCIELab.html
