Fraggle usually achieves a smaller amplification factor than smurf and is much
less popular.
Figure 7-1 illustrates how a smurf attack works. In such an attack, a large number of ICMP echo request packets
are sent to the reflectors (using the IP broadcast address) with a spoofed source IP address of the victim host.
When the reflector hosts receive the ICMP echo packet, they respond with an ICMP echo-reply packet to the
victim address, thereby causing an ICMP flood situation.
Example 7-1 shows an extended access list with permit statements to identify smurf or fraggle attacks.
Example 7-1. Characterizing a Smurf Attack
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip any any
!
interface
ip access-group 101 in
Note
Characterization ACLs do not filter out traffic; all the ACL entries are permit statements because the
objective is to categorize the traffic.
As shown in Figure 7-1, two possible victims are affected in this attack and need to be identified accordingly:
Possibility of being a smurf target victim
Possibility of being a smurf reflector
Use the show ip access-list command to display the access-list packet match statistics to identify the potential
threat.
Pages:
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358