Avoiding being an intermediary in a smurf attack, Avoiding being a victim in a smurf attack – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 346

Advertising
background image

328

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Protecting against smurf attacks

9

The attacker sends an ICMP echo request packet to the broadcast address of an intermediary
network. The ICMP echo request packet contains the spoofed address of a victim network as its
source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2
broadcast and sent to the hosts on the intermediary network. The hosts on the intermediary
network then send ICMP replies to the victim network.

For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the
number of hosts on the intermediary network are sent to the victim. If the attacker generates a
large volume of ICMP echo request packets, and the intermediary network contains a large number
of hosts, the victim can be overwhelmed with ICMP replies.

Avoiding being an intermediary in a smurf attack

A smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a
target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a
Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when directed
broadcast forwarding is enabled on the device.

To avoid being an intermediary in a smurf attack, make sure forwarding of directed broadcasts is
disabled on the device. Directed broadcast forwarding is disabled by default. To disable directed
broadcast forwarding, enter this command.

Brocade(config)# no ip directed-broadcast

Syntax: [no] ip directed-broadcast

Avoiding being a victim in a smurf attack

You can configure the device to drop ICMP packets when excessive numbers are encountered, as is
the case when the device is the victim of a smurf attack. The following example sets threshold
values for ICMP packets targeted at the router and drop them when the thresholds are exceeded.

Brocade(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

Syntax: ip icmp burst-normal value burst-max value lockup seconds

The burst-normal value can be from 1 – 100000.

Advertising
Popular Brands
Popular manuals