That would help, but probably wouldnt be the solution they were after. You could also configure uRPF on the interface, since a successful Smurf Attack uses spoofed source IP Addresses.
Denying all ICMP Echo and Echo-Reply might be counter-productive, but policing the rate would be better. On Sun, Feb 13, 2011 at 7:47 AM, kamran shakil <[email protected]>wrote: > i have to confirm following logic. > > i know the for smurf attack i have to consider icmp echo and icmp echo > reply and then either drop it or policy it as per requirement. > > but , > > i have read that "no ip directed-broadcast" can also be used for smurf > protection ? > > today i was using a router with > flash:c2600-advsecurityk9-mz.124-15.T14.bin" > and when i did #show run all, under fa0/0 there is not default value of "no > ip directed broadcast", so > > just want to confirm from EXPERTS, would that be ok and acceptable by CCIE > LAB, in case if they ask smurf attack question and i configure both "no ip > directed broadcast " under the interface and also deny icmp-echo and > echo-reply or police it if mentioned !!! > > > regards, > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
