General Layer 3 Security Considerations
This area explains a few of the added accepted means to abstain Layer 3 attacks.
Smurf Attacks, Directed Broadcasts, and RPF Checks
A smurf advance occurs back a host sends a ample cardinal of ICMP Answer Requests with some
atypical IP addresses in the packet. The destination abode is a subnet advertisement address, also
known as a directed advertisement address. Routers advanced these packets based on accustomed matching
of the IP acquisition table, until the packet alcove a router affiliated to the destination subnet. This
final router again assiduously the packet assimilate the LAN as a LAN broadcast, sending a archetype to every
device. Figure 18-9 shows how the advance develops.
The added affection of a smurf advance is that the antecedent IP abode of the packet beatific by the attacker
is the IP abode of the attacked host. For example, in Figure 18-9, abounding hosts may accept the
ICMP Answer Request at Step 2. All those hosts again acknowledgment with an Answer Reply, sending it to
10.1.1.2—the abode that was the antecedent IP abode of the aboriginal ICMP Answer at Step 1. Host
10.1.1.2 receives a potentially ample cardinal of packets.
Layer 3 Security 677
Figure 18-9 Smurf Attack
Several solutions to this botheration exist. First, as of Cisco IOS Software adaptation 12.0, IOS defaults each
interface to use the no ip directed-broadcast command, which prevents the router from forwarding
the advertisement assimilate the LAN (Step 2 in Figure 18-9). Also, a Reverse-Path-Forwarding (RPF) check
could be enabled appliance the ip verify unicast antecedent reachable-via {rx | any} [allow-default] [allowself-
ping] [list] interface subcommand. This command tells Cisco IOS to appraise the antecedent IP
address of admission packets on that interface. Two styles of analysis can be fabricated with this command:
■ Austere RPF—Using the rx keyword, the router checks to see if the analogous avenue uses an
outgoing interface that is the aforementioned interface on which the packet was received. If not, the
packet is discarded. (An archetype book appliance Figure 18-9 will be explained shortly.)
■ Apart RPF—Using the any keyword, the router checks for any avenue that can be acclimated to
reach the antecedent IP address.
The command can additionally avoid absence routes back it performs the analysis (default) or use default
routes back assuming the analysis by including the allow-default keyword. Also, although not
recommended, the command can activate a ping to the antecedent to verify connectivity. Finally, the
addresses for which the RPF analysis is fabricated can be bound by a referenced ACL.
For example, in Figure 18-9, if R1 acclimated austere RPF on s0/0, it would apprehension that its avenue to reach
1.1.1.2 (the antecedent IP abode of the packet at Step 1) did not accredit to s0/0 as the outgoing
R1 S0/0 2 R7
1
ASN 1
Network 1.0.0.0
Exists Only Here
3
1.1.1.1/24
1.1.1.2/24
D_IP 1.1.1.255 S_IP 1.1.1.2
ICMP Answer Packet
Attacker
ISP1/Internet
1. Attacker sends packet destined to subnet broadcast, source
1.1.1.2 (for accessory attack).
2. R1 assiduously packet as LAN broadcast.
3. R1 replies with ICMP answer acknowledgment packet beatific to 1.1.1.2.
interface—thereby auctioning the packet. However, with apart RPF, R1 would accept begin a
connected avenue that akin 1.1.1.2, so it would accept accustomed the packet through. Finally, given
that AS1 should never accept packets with antecedent addresses in arrangement 1.0.0.0, as it owns that
entire chic A network, R1 could artlessly use an entering ACL to abandon any packets sourced from
1.0.0.0/8 as they access s0/0 from the Internet.
Fraggle attacks use agnate argumentation as smurf attacks, but instead of ICMP, fraggle attacks use the UDP
Echo application. These attacks can be defeated appliance the aforementioned options as listed for smurf attacks.