HostedDB - Dedicated UNIX Servers
index_78
Router Security Configuration Guide UNCLASSIFIED 78 UNCLASSIFIED Version 1.0g Land Attack The Land Attack involves sending a packet to the router with the same IP address in the source address and destination address fields and with the same port number in the source port and destination port fields.  This attack may cause a denial of service or degraded capability in the router.  The example below shows how to prevent this attack. East(config)# access-list 100 deny   ip host 14.1.1.20      host 14.1.1.20 log East(config)# access-list 100 permit ip any any East(config)# interface eth0/0 East(config-if)# description "external interface to 14.1.0.0/16" East(config-if)# ip address 194.168.20.20 255.255.255.0 East(config-if)# ip access-group 100 in East(config-if)# end East#   Smurf Attack The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet.  If a router is positioned to forward broadcast requests to other routers on the protected network, then the router should be configured to prevent this forwarding from occurring.  This blocking can be achieved by denying any packets destined for broadcast addresses.  The example statements below block all IP traffic from any host to the possible broadcast addresses (194.168.255.255 and 194.168.0.0) for the 194.168 subnet. East(config)# access-list 110 deny ip any host 194.168.255.255 log East(config)# access-list 110 deny ip any host 194.168.0.0 log ICMP Message Types and Traceroute There are a variety of ICMP message types.  Some are associated with programs.  For example, the ping program works with message types Echo and Echo Reply.  Others are used for network management and are automatically generated and interpreted by network devices.  For inbound ICMP traffic, block the message types Echo and Redirect.  With Echo packets an attacker can create a map of the subnets and hosts behind the router.  Also, he can perform a denial of service attack by flooding the router or internal hosts with Echo packets.  With ICMP Redirect packets the attacker can cause changes to a host’s routing tables.  Otherwise, the other ICMP message types should be allowed inbound.  See the example below for inbound ICMP traffic. East(config)# access-list 100 deny   icmp any any echo log East(config)# access-list 100 deny   icmp any 14.2.6.0 0.0.255.255 redirect log East(config)# access-list 100 permit icmp any 14.2.6.0 0.0.255.255