Re: ICMP Flooding vs SMURF Attack

From: Anderson Mota Alves (mota_anderson@hotmail.com)
Date: Sun Aug 20 2006 - 14:13:22 ART

• Next message: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Previous message: Vikram Dadlaney: "Re: MPLS newbie w/ a couple basic Q's"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Aamir,

Because from what I know that's the way you need to use an acl to contain
UDP flooding (most known as Fraggle) below I'm sending you a link where you
can see an acl permitting Smurf Attack, Fraggle and TCP SYN Flooding and
from there you can see that for fraggle attacks you can't only use the
statement "deny udp any any eq echo" such as for icmp acl because for icmp
you have echo and echo-reply where echo works more as a source port and
echo-reply as a destination port (or a reply as his name implies).
Since you can't have an echo-reply for udp you most use it on source and
destination port in order to achieve a good result.
I hope it helped :)

http://www.cisco.com/warp/public/707/22.html

Andy

>From: "Aamir Aziz" <aamiraz77@gmail.com>
>Reply-To: "Aamir Aziz" <aamiraz77@gmail.com>
>To: "Anderson Mota Alves" <mota_anderson@hotmail.com>
>CC: ccielab@groupstudy.com
>Subject: Re: ICMP Flooding vs SMURF Attack
>Date: Sun, 20 Aug 2006 18:41:19 +0400
>
>Hi Andy
>
>Could you explain the third line of ur ACL why have you done this one:
>
>deny udp any eq echo any
>
>Thanks
>Aamir
>
>
>On 8/20/06, Anderson Mota Alves <mota_anderson@hotmail.com> wrote:
> >
> > Hi Aamir,
> >
> > I just don't know why are you using so many statements, from my
> > understanding this question could be answered with a few lines, someone
> > let me know if I'm wrong:
> >
> > ip access-list extended SMURF_UDP_FLOODING
> > deny icmp any any echo
> > deny icmp any eny echo-reply
> > deny udp any eq echo any
> > deny udp any any eq echo
> > permit ip any any
> >
> > Andy
> >
> > --------------------------------------------------------------------
> >
> > From: "Aamir Aziz" <aamiraz77@gmail.com>
> > Reply-To: "Aamir Aziz" <aamiraz77@gmail.com>
> > To: ccielab@groupstudy.com
> > Subject: ICMP Flooding vs SMURF Attack
> > Date: Sun, 20 Aug 2006 15:08:31 +0400
> > >Hi there ppl
> > >
> > >I just wanted to clear something, if the tast says that certain
> > router is
> > >experiencing attack via ICMP and UDP flooding does it mean SMURF
> > ATTACK?
> > >and would the following ACL work to mitigate this flooding issue?
> > >
> > >deny icmp any 0.0.0.255 255.255.255.0 echo
> > >deny icmp any 0.0.0.0 255.255.255.0 echo
> > >deny icmp any 0.0.0.255 255.255.255.0 echo-reply deny icmp any
> > 0.0.0.0
> > >255.255.255.0 echo-reply
> > >deny upd any 0.0.0.255 255.255.255.0 echo
> > >deny upd any 0.0.0.0 255.255.255.0 echo
> > >permit ip any any
> > >
> > >Thanks
> > >Aamir
> > >
> > >_______________________________________________________________________
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Previous message: Vikram Dadlaney: "Re: MPLS newbie w/ a couple basic Q's"
• Maybe in reply to: Aamir Aziz: "ICMP Flooding vs SMURF Attack"
• Next in thread: Peter Plak: "Re: ICMP Flooding vs SMURF Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART