Re: ROuter Reboot due to Virus !!

From: Kurt Kruegel (kurt@cybernex.net)
Date: Thu Oct 02 2003 - 15:28:30 GMT-3

• Next message: Fred Ingham: "Re: ISIS Network Entity Title"
• Previous message: kasturi cisco: "Re: ip summary-address eigrp and null0"
• Maybe in reply to: Gracie Pereira: "ROuter Reboot due to Virus !!"
• Next in thread: Kenneth Wygand: "RE: ROuter Reboot due to Virus !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

here's a welchia ping captured from the analogx packet sniffer and yes it's
92 bytes

08 00 79 05 02 00 27 A5 AA AA AA AA AA AA AA AA ..y...'.........
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA
........

from symantec

Protected machines will not be infected, so the traffic above will not
always take place. But as long as you can sniff the pings, you can tell,
with good reliability, whether the ping request originates from Welchia, by
looking at the ping payload, which is filled with 0xaa.

This is a complete dump of a Welchia ping request:

11:47:47.576542 169.254.56.166 > 169.254.189.84: icmp: echo request
0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.
0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....
0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............

one other thing i did to detect scans was place a 2600's ethernet on the
network
and debug ip icmp with buffered logging.
it logs all the echo-relpies to all hosts.

so what does an access-list line look like that blocks only 92 byte icmp
packets ?

----- Original Message -----
From: "McClure, Allen" <Allen.McClure@Yum.com>
To: "Gracie Pereira" <goa0201@yahoo.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 02, 2003 10:33 AM
Subject: RE: ROuter Reboot due to Virus !!

> Depends which virus you're talking about, but in general it's a memory
> issue related to the quantity of half-open connections being generated.
>
> For TCP connection issue, you might try TCP Intercept. I've recommended
> its deployment here, but we're shy on code/dram on many routers. Not
> sure if that'll help, but I'm betting it will considering how many
> half-opens I'm seeing when these things are active.
>
> For the ICMP ones, you might try blocking anything specific that you can
> isolate about the virus. If I remember correctly, Welchia utilizes
> 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> operation. Rate-limiting ICMP is also something we're considering.
>
> We're using a combo of PIX Firewalls and FW-1 running on SunOS. The Sun
> buckles quite harshly when a virus gets on even a single internal
> system.
>
> Allen G. McClure
> CCNP/CCDP/MCSE
> Yum! Brands, Inc.
> Sr. Network Analyst
> allen.mcclure@yum.com
>
>
>
>
> -----Original Message-----
> From: Gracie Pereira [mailto:goa0201@yahoo.com]
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ccielab@groupstudy.com
> Subject: ROuter Reboot due to Virus !!
>
>
> HI everybody,
>
> We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> due to recent virus attacks , the router keeps rebooting . after staying
> up
> for couple of hours , we tried blocking the virus ports ..but no help.
>
> Its now affecting couple more routers.Is there any way to stop it before
> the router gets affected and start reloading on it own.
>
> Trying a lot of possibilites . If anyone has any recommendation to this
> issue
> pls share the info..
>
> thanks
> goa0201
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> This communication is confidential and may be legally privileged. If you
are not the intended recipient, (i) please do not read or disclose to
others, (ii) please notify the sender by reply mail, and (iii) please delete
this communication from your system. Failure to follow this process may be
unlawful. Thank you for your cooperation.
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Fred Ingham: "Re: ISIS Network Entity Title"
• Previous message: kasturi cisco: "Re: ip summary-address eigrp and null0"
• Maybe in reply to: Gracie Pereira: "ROuter Reboot due to Virus !!"
• Next in thread: Kenneth Wygand: "RE: ROuter Reboot due to Virus !!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3