This can be checked in the addresses with the log-input
keyword on the appropriate access list entry.
When experiencing a smurf reflector attack, a disproportionate number of output broadcasts in the show
interface counters is displayed, and usually a disproportionate number of broadcasts are sent in the
show ip traffic display. A standard ping flood does not increase the background broadcast traffic.
When experiencing a smurf reflector attack, there is more outbound traffic toward the uplink, as compared
to the inbound traffic from the uplink. In general, there are more output packets than input packets on the
suspected interface.
When a smurf reflector is closer to the intruder than the ultimate target, it is much easier to trace the attack.
ISPs need to be closely involved in tracing such attacks. However, in other situations, the reflector may not be
closer to the attacker than the target. The target could be on your own subnet with the reflector on the other
side of the network. (The broadcast address does not determine the unicast destination that has been spoofed.)
To stop Cisco routers from being reflectors in such attacks, use the no ip directed-broadcast interface
configuration command.
Pages:
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360