index_78
Router Security Configuration Guide
UNCLASSIFIED
78
UNCLASSIFIED
Version 1.0g
Land Attack
The Land Attack involves sending a packet to the router with the same IP address in
the source address and destination address fields and with the same port number in
the source port and destination port fields. This attack may cause a denial of service
or degraded capability in the router. The example below shows how to prevent this
attack.
East(config)# access-list 100 deny ip host 14.1.1.20
host 14.1.1.20 log
East(config)# access-list 100 permit ip any any
East(config)# interface eth0/0
East(config-if)# description "external interface to 14.1.0.0/16"
East(config-if)# ip address 194.168.20.20 255.255.255.0
East(config-if)# ip access-group 100 in
East(config-if)# end
East#
Smurf Attack
The Smurf Attack involves sending a large amount of ICMP Echo packets to a
subnet's broadcast address with a spoofed source IP address from that subnet. If a
router is positioned to forward broadcast requests to other routers on the protected
network, then the router should be configured to prevent this forwarding from
occurring. This blocking can be achieved by denying any packets destined for
broadcast addresses. The example statements below block all IP traffic from any
host to the possible broadcast addresses (194.168.255.255 and 194.168.0.0) for the
194.168 subnet.
East(config)# access-list 110 deny ip any host 194.168.255.255 log
East(config)# access-list 110 deny ip any host 194.168.0.0 log
ICMP Message Types and Traceroute
There are a variety of ICMP message types. Some are associated with programs. For
example, the ping program works with message types Echo and Echo Reply. Others
are used for network management and are automatically generated and interpreted by
network devices. For inbound ICMP traffic, block the message types Echo and
Redirect. With Echo packets an attacker can create a map of the subnets and hosts
behind the router. Also, he can perform a denial of service attack by flooding the
router or internal hosts with Echo packets. With ICMP Redirect packets the attacker
can cause changes to a hosts routing tables. Otherwise, the other ICMP message
types should be allowed inbound. See the example below for inbound ICMP traffic.
East(config)# access-list 100 deny icmp any any echo log
East(config)# access-list 100 deny icmp any 14.2.6.0 0.0.255.255
redirect log
East(config)# access-list 100 permit icmp any 14.2.6.0 0.0.255.255