This should be configured on each interface of all routers. Note that no ip directedbroadcast
is now the default on all interfaces, beginning with Cisco IOS Software Version 12.0. This command
drops any packets on the router that are sent to a directed broadcast address that causes multiple hosts to
respond to the ICMP echo request.
You can use several techniques to prevent or minimize the impact of smurf and similar ICMP flood attacks, such
as rate-limiting (Committed Access Rate [CAR]), a filter using access lists, and Unicast Reverse Path Forwarding
(uRPF) and IP Source Guard features, as discussed in the "IP Spoofing Attacks" section later in this chapter.
Using an ACL to Characterize SYN Attacks
There are many variations of SYN flood attacks, with the most common being a situation in which a target
machine is flooded with TCP SYN connection requests. In most cases, the source addresses and source TCP
ports of the connection request packets are randomized and spoofed. The objective is to force the target host to
maintain TCP state information for a large number of incomplete connections (half-open connections), also
called embryonic connections, which are illustrated in Figure 7-2.
Pages:
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361