From: Curt Girardin (curt.girardin@chicos.com)
Date: Tue Jul 18 2006 - 16:03:14 ART
Hi Tony,
What you're describing is how to prevent yourself from being a
SMURF-attack amplifier. The actual victim is the person that actually
owns the spoofed source address in the icmp echo-request, thus being
bombarded with echo-replies.
However your question will be invaluable to me one day, as I now know
how to find the source of spoofed packets within my network; an
irritation in the past.
My guess is that the ip source-track is less processor intensive, since
an ACL 'log-input' will likely be logging every packet in a smurf attack
or a DDOS syn attack into the logging buffer.
Thanks,
Curt
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Paterra
Sent: Tuesday, July 18, 2006 2:28 PM
To: Cisco certification
Subject: SMURF attack mitigation features...
All,
I'm curious as to what SMURF attack mitigation features there are...
If I am correct in my understanding of a SMURF attack it is set up as
follows:
The attacker is on a remote segment using a directed broadcast at a
target on your LAN segment
How can we mitigate these attacks?
What I'm aware of (please tell me if I'm off-base or should be doing
more/less)...
-Enable unicast RPF on your WAN interface (stops receiving fake source
addresses)
-No ip directed-broadcast under your LAN interface (stops sending
off-network broadcasts) -Put an ACL on the WAN interface that does a
'log-input' on the end or also ip source-track (lets you figure out
where your attacker is)
What is the difference between ip source-track and doing a permit ip any
any log-input in an ACL?
Thanks in advance!!!
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART