Hi all,
The CERT advisor recommend the following action for Cisco devices in this
kind of attack, particular, for me I prefer the first, ACL depends where
are your router :-)

http://www.cert.org/advisories/CA-1998-01.html

By the way, I remember that smurf attack generate several icmp unreachable
msg, that´s the way I used to check this kind of attack.

Cisco Systems

Cisco recommends the following configuration settings as protection against
being used as an intermediary in smurf attacks:


   1. Disabling IP directed broadcast for all interfaces on which it is not
   needed. This must be done on all routers in the network, not just on the
   border routers. The command "no ip directed-broadcast" should be applied to
   each interface on which directed broadcasts are to be disabled.

   Very few IP applications actually need to use directed broadcasts, and
   it's extremely rare for such an application to be in use in a network
   without the knowledge of the network administrator. Nonetheless, as when
   any functionality is disabled, you should be alert for possible problems.

   This is the preferred solution for most networks.
   2.

   If your network configuration is simple enough for you to create and
   maintain a list of all the directed broadcast addresses in your network,
   and if you have a well-defined perimeter separating your own network from
   potentially hostile networks, consider using a filter at the perimeter to
   prevent directed broadcasts from entering the network. For example, if your
   network number is 172.16.0.0, and you uniformly use a subnet mask of
   255.255.255.0, then you might use Cisco access list entries like

        access-list 101 deny ip 0.0.0.0 255.255.255.255 172.16.0.255 0.0.255.0
        access-list 101 deny ip 0.0.0.0 255.255.255.255 172.16.0.0 0.0.255.0


   Note that this is not a complete access list; it's simply two entries.
   See the Cisco documentation for more information on configuring access
   lists. The best place to apply such a filter is usually on the incoming
   side of each router interface that connects to the potentially hostile
   network.

   This solution may be administratively infeasible for networks using
   variable-length subnet masks, or which have complex external connectivity.
   There is also some possibility that legitimate directed broadcasts may be
   being sent into your network from the outside, especially if you're working
   in a research environment.

In addition to these protections against being used as an intermediary in a
smurf attack, Cisco recommends that you take steps to prevent users within
your own network from launching such attacks. For "stub" networks which do
not provide transit connectivity (most corporate and institutional
networks, many smaller ISPs), this is usually best done by installing
filters at the network perimeter to prevent any packets from leaving your
network unless their IP source addresses actually lie within your network's
address space. For the example network above, you might place the following
entry in the incoming access lists on the interface(s) facing your internal
network:

   access-list 101 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.255.255
   access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255


Regards




On Tue, Jun 5, 2012 at 6:25 PM, Elizabeth ....
<[email protected]>wrote:

>  Kings,
>
> Back to your original question -  How to block smurf attacks on an
> interface other than using "no ip directed-broadcast" and no ACL.
>
> Well I think you might use two methods:
> 1. uRPF -  use the *ip verify unicast reverse-path* command on the input
> interface on the router at the upstream end of the connection. The router
> will verify that it has a reverse path for the spoofed ICMP packet and drop
> the packet if no path exists. CEF must be enabled
> 2. Use CAR to rate limit ICMP packets - if ping must be allowed, you can
> limit the amount of ICMP traffic.
>
> have a look at the following Cisco Doc
> http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
>
>
> Regards,
>           Elizabeth
> ------------------------------
> From: [email protected]
> To: [email protected]
> Date: Tue, 5 Jun 2012 19:22:32 +0000
> CC: [email protected]
> Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface
>
>  Oh, no CCIE Number that you actually passed!!!!! Just Blah, blah ....
>
> What a waist of space ....
>
> ------------------------------
> Date: Tue, 5 Jun 2012 15:10:53 -0400
> Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
> Gents
> I am sorry about this episode that we are having here in this thread. It
> could be the time of month :) makes me laugh that I am being demanded to
> provide my number. I think I should post my plague once I receive it.
>
>
> There won't be any more reply from my side on this topic. I am sorry
> again.
>
> On Tuesday, June 5, 2012, Elizabeth .... wrote:
>
>  Well, what a waist of time & space to discuss with you ... What's your
> CCIE number, that you can really prove that you'd passed the Lab!!!!
>
> Please do not replay!!!
>
> Regards,
>      Elizabeth
> ------------------------------
> Date: Tue, 5 Jun 2012 14:17:29 -0400
> Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
> It's not my comments which are abusive. Its yours and It's you who is
> ignorant and probably jealous as well. A lot of ppl on this forum know me
> personally and virtually and they know what I meant by comments. Keep your
> retardness to yourself and Bring something useful to this forum. Iam on
> this forum for sometime and am trying to work with various people to make
> it better. When you have no idea what others meant then keep your reply to
> your self. Visit various pathetic forums and see what those wanna bees are
> discussing.
> Goto Cisco website and see where Cisco announced about v4 and then see the
> comment of user who asked,   "how many 'lab' in this new version 4"
>  Do you have any idea what hat user was asking about? You wouldn't know I
> bet.
> Enough said.
>
> On Tuesday, June 5, 2012, Elizabeth .... wrote:
>
>  Fawad,
>
> No need for your abusive commends....
> It's been just 5 - 6 days since you passed your exam, and now what are you
> such an expert ....
> So, if you do not have respect for others, maybe it would be better that
> you abstain for posting on this forum!!!
>
> Regards,
>        Elizabeth
>
> ------------------------------
> Date: Tue, 5 Jun 2012 09:37:55 -0400
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [OSL | CCIE_Security] Blocking flood attack on an interface
>
> A lot depends on the question. It would be mentioned in he question how to
> resolve it, there would be some clear hints.
> Don't believe on the answers posted on the forums for floating questions.
> A lot of those wanna bees are pretty down low in technology and they are
> just posting anything that would come to their mind.
>
> On Tuesday, June 5, 2012, Kingsley Charles wrote:
>
> Not ACL but some interface command should be the answer. I just saw this
> question floating...
>
> With regards
> Kings
>
> On Tue, Jun 5, 2012 at 2:58 PM, Matt Hill <[email protected]> wrote:
>
> Off the top of my head...  An ACL with the broadcast address as the
> destination? (???)
>
> Cheers,
> Matt
>
> CCIE #22386
> CCSI #31207
>
> On 5 June 2012 18:03, Kingsley Charles <[email protected]> wrote:
> > Hi all
> >
> > How do we block smurf attacks on an interface other than using "no ip
> > directed-broadcast"? I can't think of any other commands.
> >
> >
> > With regards
> > Kings
> >
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> > visit www.ipexpert.com
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> > www.PlatinumPlacement.com
>
>
>
>
> --
> FNK
>
> _______________________________________________ For more information
> regarding industry leading CCIE Lab training, please visit
> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
>
> --
> FNK
>
>
>
> --
> FNK
>
> _______________________________________________ For more information
> regarding industry leading CCIE Lab training, please visit
> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to