GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: ICMP Flooding posted 11/26/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi Andrew,

While thanking again for this valuable, easy to understand document,
can we now ask you to suggest ways of reducing this?

I am think of the below;

1. Unicast Reverse Path Forwarding (Unicast RPF) feature on all the
inbound interfaces
2. Rate-limit ICMP (all the types) to a lower BW on all inbound
interfaces so that normal network monitoring works.

I am wondering we have any other options to reduce this effects in networks.

Thank you in advance for your replies.

On 11/26/06, Andrew Bruce Caslow <abcaslow@xxxxxxxxxxxxxxxxxx> wrote:
Hi Mathew,

As promised earlier, a five page ICMP flooding/SMURF technical note is
posted on the NMC site for public access at:

http://netmasterclass.com/site/articles/A%20Brief%20Description%20of%20an%20
ICMP%20Flood%20Attack.pdf

The technical note is 5 pages in length. It is pretty much a restatement of
what I posted a few days ago on the subject. However, the posted technical
note contains a diagram and a set of simple configurations as well as a few
simple steps - such as how initiate a specially crafted ping and enable some
debug tools - so that you can see an ICMP flood/SMURF attack in action.

The test configuration only involves three routers. We used Dynamips to
generate the tests.

HTH,

-Bruce Caslow CCIE #3139
 NetMasterClass, LLC
 www.netmasterclass.net



> -----Original Message-----
> From: Mathew [mailto:mathewfer@xxxxxxxxx]
> Sent: Friday, November 24, 2006 1:00 AM
> To: Andrew Bruce Caslow
> Cc: nisha rani; Cisco certification
> Subject: Re: ICMP Flooding
>
> Hi Andrew,
>
> Can you pls give us the link to this on your website?
>
>
> On 11/22/06, Andrew Bruce Caslow <abcaslow@xxxxxxxxxxxxxxxxxx> wrote:
> > Hi Nisha,
> >
> > I am assuming that you are interested in reading about ICMP flooding to
> > better understand a common Denial of Service attack. If this is the
> case, we
> > have a page in the NMC Technical Library on this topic. Later today, I
> will
> > make it publicly available to you so that you can read it. I will post
> the
> > link to the GroupStudy forum. However, for now, let me give you a brief
> > explanation of one form of an ICMP flood. Specifically, it is an ICMP
> > ECHO-REPLY flood attack and is usually called a "smurf" attack.
> >
> > A "smurf" attack has three basic components:
> >
> > 1). An attacking end station
> > 2). A target interface to be "victimized"
> > 3). An amplifying network
> >
> > Notice that the first two components are end devices - (1) is an end
> station
> > and (2) is an interface. However, component #3 is a "network". This is
> very
> > imporant to remember when attempting to understand an icmp flood "smurf"
> > attack. Why is component #3 an "amplifying" network? I will explain
> below.
> >
> > Now, how are these 3 components used to generate an icmp flood/smurf
> attack.
> >
> >
> > Here is a brief description:
> >
> > Let's set the stage:
> >
> > Let's say the attacking end station has locally assigned IP source
> address
> > of 100.1.1.1
> >
> > And let's say the target/victim interface has the locally assigned IP
> > address of 13.13.13.13
> >
> > And finally, let's say the amplifying network has the prefix of
> > 140.10.1.0/24 and it has 100 attached devices. Also, let's assume that
> the
> > router that attaches this amplifying network to the Internet accepts and
> > forwards "directed-broadcasts", such as in this specific case
> > "140.10.1.255".
> >
> > Now, let's put the icmp flood/"smurf" attack into play:
> >
> > STEP 1: The attacking end station initiates the following ping with the
> > following carefully selected parameters:
> >
> > Ping
> >
> >  Destination Address (Parameter #1): 140.10.1.255 (a directed broadcast
> to
> > the amplifying network)
> >
> >  Source Address (Parameter #2): 13.13.13.13 (This no the source addr. Of
> the
> > attacking end station!! But the source addr of the target/victim
> network)
> >
> >  Repeat Count (Parameter #3): 1,000,000 (Lots of pings!!!)
> >
> > It is important to note the the attacking end stations actual source
> address
> > (100.1.1.1) is in no way referenced in this ping. It remains stealthily
> > anonymous during this smurf attack.
> >
> > When this ping is initiated, the directed broadcast ping is forwarded to
> the
> > amplifying network and all 100 end stations will respond to the directed
> > broadcast PING/ICMP ECHO request (provided that they are not explicitly
> > configured to ignore such ICMP ECHO requests). This will result in the
> > generation of 100,000,000 ICMP ECHO-REPLIES. Viola!!! There is your ICMP
> > flood, or at least one form of it.
> >
> > All of these ICMP ECHO-REPLIES will be forwarded to the target/victim
> > interface instead of the originating source end station (since the ping
> was
> > initiated with the source address of the target/victim interface). The
> > intended result is to negatively impact the performance of the
> target/victim
> > interface - thus a "denial of service" state has been attained.
> >
> > The NMC Tech Lib page provides a diagram to this description. It is
> easier
> > to understand with a diagram. I hope this brief description was of some
> > help.
> >
> > Overall, A good reference for securing networks is:
> >
> > http://www.cymru.com/Documents/secure-ios-template.html
> >
> > This is a link to Bob Thomas' secure IOS configuration template. In this
> > template, he supplies lots of good recommended IOS commands to enter
> into a
> > Cisco router configuration along with a brief description of each
> command.
> >
> > He supplies lots of other excellent router security related content on
> this
> > site. Perhaps, the most famous resource on this site is his bogon list
> or
> > list  of "unallocated" IP prefixes. For more on bogons, see:
> >
> > http://www.cymru.com/Bogons/
> >
> > HTH,
> >
> > -Bruce Caslow CCIE #3139
> >  NetMastClass, LLC
> >  www.netmasterclass.net
> >
> >
> >
> > > -----Original Message-----
> > > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> > > Of nisha rani
> > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > To: Cisco certification
> > > Subject: ICMP Flooding
> > >
> > > Can someone provide me a good link on ICMP flooding?
> > >
> > > Thanks
> > > nisha
> > >
> > > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > > -----Original Message-----
> > > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf
> Of
> > > nisha rani
> > > Sent: Wednesday, November 22, 2006 4:36 AM
> > > To: Cisco certification
> > > Subject: ICMP Flooding
> > >
> > > Can someone provide me a good link on ICMP flooding?
> > >
> > > Thanks
> > > nisha
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> --
> Thanks
>
> Mathew




--
Thanks

Mathew