The show ip access-list command output in Example 7-2 shows a large number of ICMP echo reply packets,
which is an indication of a potential ICMP flood or smurf attack on the ultimate target victim rather than the
reflector.
Example 7-2. Output of Smurf Target Victim Attack
Router# show ip access-list
Extended IP access list 101
permit icmp any any echo (5 matches)
permit icmp any any echo-reply (2198 matches)
permit ip any any (11205 matches)
When the show ip access-list command output indicates a large number of ICMP echo requests instead of
echo replies, as shown in Example 7-3, this indicates that the network is being used as a reflector (amplifier).
The same output could also mean that the network is experiencing a simple ICMP ping flood, not a smurf. In
either case, if the attack is successful, both the egress and the ingress interfaces will be experiencing congestion
with large packet counts on the interface. Furthermore, because of the amplification factor, the egress side will
be more overloaded than the ingress side.
Example 7-3. Output of Smurf Reflector Attack
Router# show ip access-list
Extended IP access list 101
permit icmp any any echo (5432 matches)
permit icmp any any echo-reply (2 matches)
permit ip any any (1904 matches)
There are several ways to distinguish the smurf attack from the simple ping flood:
Smurf packets are sent to a directed broadcast address, rather than to a unicast address, whereas
ordinary ping floods almost always use unicast.
Pages:
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359