"no ip directed-broadcast" only prevents your network
from being used as a smurf amp. What you want to cut
down on a smurf attack on your network is:
ip verify unicast reverse-path
Also, if you are running BGP with your ISP(s) you can
establish a NULL_ROUTE non-transitive community with
them beforehand to route attack traffic to the bit
bucket. When you notice an attack underway, your
router speaking bgp with the ISP peer can advertise
the /32 target with this community. Once this
propagates, the ISP ibr will drop the attack traffic
at ingress to the ISP network. Note that if the
attack is well advanced, or your WAN link low
bandwidth to begin with, you may have already lost the
bgp peering session. For this scenario, keep a low bw
ddr link that you can use to setup a peering session
and pass this advertisement. Of course, this
blackholes whichever host is under attack so you are
accomplishing the DoSer's work for him/her. It does
keep your network up while you are on hold waiting for
someone clueful in your ISP's NOC and prevents
excessive consumption of $ for the link.
Best regards,
Geoff Zinderdine
CCNP MCP CCA SOB
--- Paul Borghese wrote:
> > I would like to protect my router against smurf
> attaque. For
> > that I have to
> > set up a CAR on my serial interface. But I want to
> know how to
> > determine the
> > proper amount of bandwidth for icmp packets for
> the CAR (I have
> > a 8Mb/s
> > bandwidth interconnection to the Internet). By
> trail and error
> > I have
> > determined a bandwidth of 128 kb/s.
> >
> > CAR Configuration:
> >
> > interface Serial 0
> > rate limit input access-group 102 128000 8000 8000
> > conform-action transmit
> > exceed-action drop
> >
> > access-list 102 permit icmp any any echo
> > access-list 102 permit icmp any any echo-reply
> >
> > I have another question, can somebody tell me the
> threshold of
> > icmp packets
> > (in kb/s) necessary to consume a host ressources
>
> The best way to protect a network against a smurf
> attack is to use the
> command:
>
> no ip directed-broadcast
>
> on your Serial interface that connects to the
> internet. Cisco IOS 12.x and
> later has the command on by default.
>
> If you are the end receipient of a smurf attack, you
> will need to work with
> your Internet Service Provider to limit the
> bandwidth of echo-replies being
> sent to your network. Filtering on your router does
> no good as the attack
> is designed as a denial-of-service attack to fill
> your internet access with
> garbage. Once it hits your router it is too late.
> You will need to use CAR
> on the router before your internet connection.
>
> I hope this helps!
>
> Paul Borghese
[EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14895&t=14634
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
