An ACL with a series of permit statements is used to characterize traffic flows of interest. ACL extends the
capability of checking packets based on various options in the packet header as more sophisticated attacks
emerge. ACL counters are further used to determine which flows and protocols are potential threats because of
their unexpected high volume. After the suspect flows are identified, a logging option can be used to capture
additional packet characteristics.
Using an ACL to Characterize ICMP Flood or Smurf Attack
The smurf attack, also commonly known as ICMP flooding, has two victims: a target victim and a reflector or
amplifier. The attacker sends a large number of ICMP echo requests (pings) to the broadcast address of the
reflector subnet. The source addresses of these packets are forged (spoofed) to be the address of the target
victim. For each packet sent by the attacker, hosts on the reflector subnet respond to the target victim, thereby
flooding the victim network and causing congestion that results in a denial of service as shown in Figure 7-1.
Figure 7-1. Smurf Attack
A similar attack called fraggle uses directed broadcasts in the same technique, sending UDP echo requests
instead of ICMP echo requests.
Pages:
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357