DoS Smurf Attacks

Smurf attacks consist of large numbers of ICMP packets sent to a router subnet broadcast address using a spoofed source IP address from that same subnet. Some routers may be configured to forward these broadcasts to other routers in the protected network, and this process causes performance degradation.

NOTE: Cisco IOS Release 12.0 and later now has the no ip directed-broadcast feature enabled by default, which prevents this type of ICMP attack.

Refer to Figure 5-12 for the network topology upon which the following configurations are based.

Edge(config)#access-list 105 deny ip any host 10.2.1.255 log

Denies any packet with a destination address of 10.2.1.255

Edge(config)#access-list 105 permit ip any 10.2.1.0 0.0.0.255 log

Permits packets to any other destination address on the 10.2.1.0 network, and logs any instance in which this statement was used

Edge(config)#access-list 106 deny ip any host 10.1.1.255 log

Denies any a packet with a destination address of 10.1.1.255

Edge(config)#access-list 106 permit ip any 10.1.1.0 0.0.0.255 log

Permits packets to any other destination address on the 10.1.1.0 network, and logs any instance in which this statement was used

Edge(config)#interface fastethernet 0/0

Moves to interface configuration mode

Edge(config-if)#ip access-group 105 in

Takes all access list lines that are defined as being part of group 105 and applies them in an inbound manner

Edge(config-if)#exit

Returns to global configuration mode

Edge(config)#interface fastethernet 0/1

Moves to interface configuration mode

Edge(config-if)#ip access-group 106 in

Takes all access list lines that are defined as being part of group 106 and applies them in an inbound manner

Edge(config-if)#exit

Returns to global configuration mode

Edge(config)#

Filtering ICMP Messages: Inbound

There are several Internet Control Message Protocol (ICMP) message types that attackers can use against your network. Programs use some of these messages; others are used for network management and so are automatically generated by the router.

ICMP echo packets can be used to discover subnets and hosts on the protected network and can also be used to generate DoS floods. ICMP redirect messages can be used to alter host routing tables. The router should block both ICMP echo and redirect messages that are inbound.

Refer to Figure 5-12 for the network topology upon which the following configurations are based.

Edge(config)#access-list 107 deny icmp any any echo log

Blocks echo packets from anywhere going to anywhere, and logs any instance in which this statement was used

Edge(config)#access-list 107 deny icmp any any redirect log

Blocks redirect packets from anywhere going to anywhere, and logs any instance in which this statement was used

Edge(config)#access-list 107 deny icmp any any mask-request log

Blocks mask-request packets from anywhere going to anywhere, and logs any instance in which this statement was used

Edge(config)#access-list 107 permit icmp any 10.2.1.0 0.0.0.255

Permits all other ICMP messages from traveling to the 10.2.1.0 network

Edge(config)#interface fastethernet 0/0

Moves to interface configuration mode

Edge(config-if)#ip access-group 107 in

Takes all access list lines that are defined as being part of group 107 and applies them in an inbound manner

Edge(config-if)#exit

Returns to global configuration mode

Edge(config)#

Was this article helpful?

0 0

Post a comment