Avoiding being an intermediary in a smurf attack, Acl-based dos-attack prevention, Acl-based – Brocade BigIron RX Series Configuration Guide User Manual

1078

BigIron RX Series Configuration Guide

53-1002484-04

Protecting against Smurf attacks

35

For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the
number of hosts on the intermediary network are sent to the victim. If the attacker generates a
large volume of ICMP echo request packets, and the intermediary network contains a large number
of hosts, the victim can be overwhelmed with ICMP replies.

Avoiding being an intermediary in a Smurf attack

A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a
target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a
Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when
directed broadcast forwarding is enabled on the device.

To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts is
disabled on the device. Directed broadcast forwarding is disabled by default. To disable directed
broadcast forwarding, do the following.

BigIron RX(config)# no ip directed-broadcast

Syntax: [no] ip directed-broadcast

ACL-based DOS-attack prevention

ACL-based DOS-attack prevention provides great flexibility on what packets can be rate-limited or
dropped up. In fact, users can create any matching conditions they want to regulate any particular
traffic flow they have in mind. This section provides examples that can be used to prevent two
common types of DOS attacks.

Avoiding being a victim in a Smurf attack

You can configure the device to drop ICMP packets when excessive numbers are encountered, as is
the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP
packets that are targeted at the router itself or passing through an interface, and drop them when
the thresholds are exceeded.

For example, to set threshold values for ICMP packets received on interface 3/11, enter the
following command.

BigIron RX(config)# access-list 101 permit icmp any any echo-reply

BigIron RX(config)# interface ethernet 3/11

BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000

burst-max 1000 lockup 300

In the example, if the total traffic volume of ICMP echo-reply packets received per second exceeds
5,000,000 bits per second, the excess packets are dropped. If the number of ICMP echo-reply
packets received per second exceeds 1,000, the device drops all ICMP packets for the next 300
seconds (five minutes).

Syntax: dos-attack-prevent <num> burst-normal <bps> burst-max <num-of-packets> lockup

<seconds> [log]

<num> is the ACL ID that will be used to check for traffic conformance.

The parameters burst-normal, burst-max, and lockup are applied individually on each ACL filter.

The burst-normal value, 1 – 100000000, is specified as bits per second.