Avoiding Being An Intermediary In A Smurf Attack; Acl-Based Dos-Attack Prevention - Dell PowerConnect B-RX Configuration Manual

34
Protecting against Smurf attacks

Avoiding being an intermediary in a Smurf attack

A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a
target subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to a
Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when
directed broadcast forwarding is enabled on the device.
To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts is
disabled on the device. Directed broadcast forwarding is disabled by default. To disable directed
broadcast forwarding, do the following.
BigIron RX(config)# no ip directed-broadcast
Syntax: [no] ip directed-broadcast

ACL-based DOS-attack prevention

ACL-based DOS-attack prevention provides great flexibility on what packets can be rate-limited or
dropped up. In fact, users can create any matching conditions they want to regulate any particular
traffic flow they have in mind. This section provides examples that can be used to prevent two
common types of DOS attacks.
Avoiding being a victim in a Smurf attack
You can configure the device to drop ICMP packets when excessive numbers are encountered, as is
the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP
packets that are targeted at the router itself or passing through an interface, and drop them when
the thresholds are exceeded.
For example, to set threshold values for ICMP packets received on interface 3/11, enter the
following command.
BigIron RX(config)# access-list 101 permit icmp any any echo-reply
BigIron RX(config)# int e 3/11
BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000
burst-max 1000 lockup 300
In the example, if the total traffic volume of ICMP echo-reply packets received per second exceeds
5,000,000 bits per second, the excess packets are dropped. If the number of ICMP echo-reply
packets received per second exceeds 1,000, the device drops all ICMP packets for the next 300
seconds (five minutes).
Syntax: dos-attack-prevent <num> burst-normal <bps> burst-max <num-of-packets> lockup
<seconds> [log]
<num> is the ACL ID that will be used to check for traffic conformance.
The parameters burst-normal, burst-max, and lockup are applied individually on each ACL filter.
The burst-normal value, 1 – 100000000, is specified as bits per second.
The burst-max value, 1 – 100000, is specified as number of packets.
The lockup value can be from 1 – 10000 seconds.
The number of incoming ICMP packets that match the condition specified in the ACL per second
are measured and compared to the threshold values as follows:
978 BigIron RX Series Configuration Guide
53-1001986-01