this is a good article also by
Craig A. Huegen
chuegen@pentics.com
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi
INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS:
The amount of bandwidth and packets per second (pps) that can be generated
by this attack is quite large. With a 200-host LAN, I was able to
generate over 80 Mbps traffic at around 35 Kpps toward my target--a
pretty significant amount. The victims receive this because traffic is
multiplied by the number of hosts on the broadcast network used (in this
case, with a 200-host network, I was only required to send 400 Kbps
to the broadcast address--less than one-third of a T1).
Many hosts cannot process this many packets per second; many hosts are
connected to 10 Mbps Ethernet LANs where more traffic than wire speed
is sent. Therefore, the ability to drop these packets at the network
border, or even before it flows down the ingress pipes, is desired.
Cisco routers have several "paths" which packets can take to be routed;
each has a varying degree of overhead. The slowest of these is "process"
switching. This is used when a complex task is required for processing
packets. The other modes are variations of a fast path--each of them with
a set of advantages and disadvantages. However, they're all handled at
interrupt level (no process-level time is required to push these packets).
In IOS versions (even the most recent), access-list denies are handled at
the process (slow) level, because they require an ICMP unreachable to be
generated to the originating host. All packets were sent to the process
level automatically to be handled this way.
Under a recent code change (Cisco bug ID CSCdj35407--integrated in version
11.1(14)CA and later 11.1CA, 11.1CC, 11.1CE, and 12.0 trains), packets
denied by an access-list will be dropped at the interrupt (fast) level, with
the exception of 2 packets per second per access-list deny line. These 2
packets per second will be used to send the "ICMP unreachable via
administrative block" messages. This assumes that you don't want to log
the access-list violations (via the "log" or "log-input" keywords). The
ability to rate-limit "log-input" access-list lines (in order to more
easily log these packets) is currently being integrated; see the section
below on tracing spoofed packet attacks for information on logging.
Filtering ICMP echo reply packets destined for your high-profile machines
at the ingress interfaces of the network border routers will then permit
the packets to be dropped at the earliest possible point. However, it
does not mean that the network access pipes won't fill, as the packets
will still come down the pipe to be dropped at the router. It will,
however, take the load off the system being attacked. Keep in mind that
this also denies others from being able to ping from that machine (the
replies will never reach the machine).
For those customers of providers who use Cisco, this may give you some
leverage with the providers' security teams to help save your pipes by
filtering before the traffic is sent to you.
An additional technology you can use to protect your machines is to use
committed access rate, or CAR. CAR is a functionality that works
with Cisco Express Forwarding, found in 11.1CC, 11.1CE, and 12.0. It
allows network operators to limit certain types of traffic to specific
sources and/or destinations.
Craig A. Huegen
chuegen@pentics.com
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi
INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS:
The amount of bandwidth and packets per second (pps) that can be generated
by this attack is quite large. With a 200-host LAN, I was able to
generate over 80 Mbps traffic at around 35 Kpps toward my target--a
pretty significant amount. The victims receive this because traffic is
multiplied by the number of hosts on the broadcast network used (in this
case, with a 200-host network, I was only required to send 400 Kbps
to the broadcast address--less than one-third of a T1).
Many hosts cannot process this many packets per second; many hosts are
connected to 10 Mbps Ethernet LANs where more traffic than wire speed
is sent. Therefore, the ability to drop these packets at the network
border, or even before it flows down the ingress pipes, is desired.
Cisco routers have several "paths" which packets can take to be routed;
each has a varying degree of overhead. The slowest of these is "process"
switching. This is used when a complex task is required for processing
packets. The other modes are variations of a fast path--each of them with
a set of advantages and disadvantages. However, they're all handled at
interrupt level (no process-level time is required to push these packets).
In IOS versions (even the most recent), access-list denies are handled at
the process (slow) level, because they require an ICMP unreachable to be
generated to the originating host. All packets were sent to the process
level automatically to be handled this way.
Under a recent code change (Cisco bug ID CSCdj35407--integrated in version
11.1(14)CA and later 11.1CA, 11.1CC, 11.1CE, and 12.0 trains), packets
denied by an access-list will be dropped at the interrupt (fast) level, with
the exception of 2 packets per second per access-list deny line. These 2
packets per second will be used to send the "ICMP unreachable via
administrative block" messages. This assumes that you don't want to log
the access-list violations (via the "log" or "log-input" keywords). The
ability to rate-limit "log-input" access-list lines (in order to more
easily log these packets) is currently being integrated; see the section
below on tracing spoofed packet attacks for information on logging.
Filtering ICMP echo reply packets destined for your high-profile machines
at the ingress interfaces of the network border routers will then permit
the packets to be dropped at the earliest possible point. However, it
does not mean that the network access pipes won't fill, as the packets
will still come down the pipe to be dropped at the router. It will,
however, take the load off the system being attacked. Keep in mind that
this also denies others from being able to ping from that machine (the
replies will never reach the machine).
For those customers of providers who use Cisco, this may give you some
leverage with the providers' security teams to help save your pipes by
filtering before the traffic is sent to you.
An additional technology you can use to protect your machines is to use
committed access rate, or CAR. CAR is a functionality that works
with Cisco Express Forwarding, found in 11.1CC, 11.1CE, and 12.0. It
allows network operators to limit certain types of traffic to specific
sources and/or destinations.
