HP 6308M-SX, 9304M, 9308M manual 667

Advanced Configuration and Management Guide

For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to the number of hosts on the intermediary network are sent to the victim. If the attacker generates a large volume of ICMP echo request packets, and the intermediary network contains a large number of hosts, the victim can be overwhelmed with ICMP replies.

Avoiding Being an Intermediary in a Smurf Attack

A Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on a target sub-net. When the ICMP echo request packet arrives at the target sub-net, it is converted to a Layer 2 broadcast and sent to the connected hosts. This conversion takes place only when directed broadcast forwarding is enabled on the device.

To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts is disabled on the HP device. Directed broadcast forwarding is disabled by default. To disable directed broadcast forwarding, do one of the following:

USING THE CLI

HP9300(config)# no ip directed-broadcast

Syntax: [no] ip directed-broadcast

USING THE WEB MANAGEMENT INTERFACE

1.Log on to the device using a valid user name and password for read-write access. The System configuration panel is displayed.

2.Click on the plus sign next to Configure in the tree view to display the list of configuration options.

3.Click on the plus sign next to IP to display the list of IP configuration options.

4.Select the General link to display the IP configuration panel.

5.Select Disable next to Directed Broadcast Forward.

6.Click the Apply button to save the change to the device’s running-config file.

7.Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change to the startup-config file on the device’s flash memory.

Avoiding Being a Victim in a Smurf Attack

You can configure the HP device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP packets that are targeted at the router itself or passing through an interface, and drop them when the thresholds are exceeded.

For example, to set threshold values for ICMP packets targeted at the router, enter the following command in CONFIG mode:

HP9300(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

To set threshold values for ICMP packets received on interface 3/11:

HP9300(config)# int e 3/11

HP9300(config-if-e100-3/11)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>

The burst-normalvalue can be from 1 – 100000.

The burst-maxvalue can be from 1 – 100000.

The lockup value can be from 1 – 10000.

The number of incoming ICMP packets per second are measured and compared to the threshold values as follows:

•If the number of ICMP packets exceeds the burst-normalvalue, the excess ICMP packets are dropped.

B - 2