Avoiding being an intermediary in a smurf attack, Avoiding being a victim in a smurf attack – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 288

Advertising
background image

268

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Smurf attacks

For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the
number of hosts on the intermediary network are sent to the victim. If the attacker generates a
large volume of ICMP echo request packets, and the intermediary network contains a large number
of hosts, the victim can be overwhelmed with ICMP replies.

Avoiding being an intermediary in a Smurf attack

A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a
target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a
Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when directed
broadcast forwarding is enabled on the device.

To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts is
disabled on the Brocade device. Directed broadcast forwarding is disabled by default. To disable
directed broadcast forwarding, do one of the following.

Brocade(config)# no ip directed-broadcast

Syntax: [no] ip directed-broadcast

Avoiding being a victim in a Smurf attack

You can configure the Brocade device to drop ICMP packets when excessive numbers are
encountered, as is the case when the device is the victim of a Smurf attack. You can set threshold
values for ICMP packets that are targeted at the router itself or passing through an interface, and
drop them when the thresholds are exceeded.

For example, to set threshold values for ICMP packets targeted at the router, enter the following
command in global CONFIG mode.

Brocade(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

To set threshold values for ICMP packets received on interface 1/1/3, enter the following
commands.

Brocade(config)# interface ethernet 1/1/3
Brocade(config-if-e10000-1/1/3)# ip icmp burst-normal 5000 burst-max 10000 lockup
300

For Layer 3 router code, if the interface is part of a VLAN that has a router VE, you must configure
ICMP attack protection at the VE level. Otherwise, you can configure this feature at the interface
level as shown in the previous example. When ICMP attack protection is configured at the VE level,
it will apply to routed traffic only. It will not affect switched traffic.

NOTE

You must configure VLAN information for the port before configuring ICMP attack protection. You
cannot change the VLAN configuration for a port on which ICMP attack protection is enabled.

To set threshold values for ICMP packets received on VE 31, enter commands such as the
following.

Brocade(config)# interface ve 31
Brocade(config-vif-31)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

Advertising
Popular Brands
Popular manuals