Common attacks

Smurf attack:

“smurf” attack, named after its exploit program.

  1. ICMP echo packet(s) sent with a spoofed source IP to a directed broadcast, victim is the spoofed address, DoS trafic generated by hosts on an ‘unprotected’ subnet.
  2. The ‘unprotected’ subnet receives the directed broadcast which causes each host on the subnet to send an echo-reply to the spoofed address (the victim). The larger the subnet the bigger the traffic load generated.
  3. Victim receives echo-replies from many hosts.

- Classic DoS attack which can be prevented by dropping spoofed packets:

ip verify unicast source reachable-via rx (IOS 12.4 syntax)
ip verify unicast reverse-path (pre 12.4 syntax)

But if the attacker and victim are both on the same interface or next-hop as per the routers local routing table then this line of config will not stop the spoofed packets. Mind you this is generally only the case in bad network design or furposefull lolly-pop routing. Don’t forget that BGP with next-hop-self can cause lolly-pop routing. Also MultiPoint interfaces are a place where this configuration might be less effective than intended. Generally speaking one could argue that if split-horizon is turned of then this feature shouldn’t be active either.

- Subnets can be protected by stopping directed broadcasts:

no ip directed-broadcast (IOS 12.0 default)

- Echo-replies can be rate-limited or dropped to protect the victim. Service-policy/rate-limit(=old style) or ACL.

Fraggle attack:

Like the Smurf attack but uses UDP echo packet(s) instead of ICMP, a simple re-write of the application “smurf”. This traffic is aimed at ports 7 (echo) and 19 (chargen).

%d bloggers like this: