Yes can be from this IP, but uRPF is for spoof addrss protection and not meant for SMURF.
SMURF is well explained with excessive sending of ICMP ECHO or ICMP ECHO-REPLY, there are variants out there. Similar attack with UDP is FRAGGLE . I think Tyson agreed on my first email. -----Original Message----- From: [email protected] on behalf of Mark Senteza Sent: Mon 2/14/2011 5:54 AM To: kamran shakil Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Smurf attack Prevention and Mitigation: That would help, but probably wouldnt be the solution they were after. You could also configure uRPF on the interface, since a successful Smurf Attack uses spoofed source IP Addresses. Denying all ICMP Echo and Echo-Reply might be counter-productive, but policing the rate would be better. On Sun, Feb 13, 2011 at 7:47 AM, kamran shakil <[email protected]> wrote: i have to confirm following logic. i know the for smurf attack i have to consider icmp echo and icmp echo reply and then either drop it or policy it as per requirement. but , i have read that "no ip directed-broadcast" can also be used for smurf protection ? today i was using a router with flash:c2600-advsecurityk9-mz.124-15.T14..bin" and when i did #show run all, under fa0/0 there is not default value of "no ip directed broadcast", so just want to confirm from EXPERTS, would that be ok and acceptable by CCIE LAB, in case if they ask smurf attack question and i configure both "no ip directed broadcast " under the interface and also deny icmp-echo and echo-reply or police it if mentioned !!! regards, _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
