From: Larry Roberts (larryr@netbeam.net)
Date: Thu Oct 02 2003 - 15:53:02 GMT-3
Kenneth,
You can't match the length of a packet with access-lists alone, but you can
use Policy-based routing to do so. Here is Cisco's recommendation for
dealing with Welchia and Nachi. I have used these recommendations on
customer networks and they work pretty good.
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186
a00801b143a.shtml
HTH,
Larry Roberts
CCIE #7886 (R&S / Security)
----- Original Message -----
From: "Kenneth Wygand" <KWygand@customonline.com>
To: "Kurt Kruegel" <kurt@cybernex.net>; "McClure, Allen"
<Allen.McClure@Yum.com>; "Gracie Pereira" <goa0201@yahoo.com>;
<ccielab@groupstudy.com>
Sent: Thursday, October 02, 2003 11:43 AM
Subject: RE: ROuter Reboot due to Virus !!
> I don't think you can filter based on packet length with Cisco IOS (that
> would be neat though).
>
> I think your only choice is to block all ICMP echo's until you clean all
> your systems - if the source address is not spoofed in the ICMP echo
> packet, you should be able to determine exactly which hosts the attack
> is originating from.
>
> Keep us informed...
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> Custom Computer Specialists, Inc.
> "It's not just about ending up where you want to be, it's about making
> the most of the trip there."
> -Anonymous
>
> -----Original Message-----
> From: Kurt Kruegel [mailto:kurt@cybernex.net]
> Sent: Thursday, October 02, 2003 2:29 PM
> To: McClure, Allen; Gracie Pereira; ccielab@groupstudy.com
> Subject: Re: ROuter Reboot due to Virus !!
>
> here's a welchia ping captured from the analogx packet sniffer and yes
> it's
> 92 bytes
>
> 08 00 79 05 02 00 27 A5 AA AA AA AA AA AA AA AA ..y...'.........
> AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
> AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
> AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
> AA AA AA AA AA AA AA AA
> ........
>
> from symantec
>
> Protected machines will not be infected, so the traffic above will not
> always take place. But as long as you can sniff the pings, you can tell,
> with good reliability, whether the ping request originates from Welchia,
> by
> looking at the ping payload, which is filled with 0xaa.
>
> This is a complete dump of a Welchia ping request:
>
> 11:47:47.576542 169.254.56.166 > 169.254.189.84: icmp: echo request
> 0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.
> 0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....
> 0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
> 0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
> 0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
> 0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
>
> one other thing i did to detect scans was place a 2600's ethernet on
> the
> network
> and debug ip icmp with buffered logging.
> it logs all the echo-relpies to all hosts.
>
> so what does an access-list line look like that blocks only 92 byte icmp
> packets ?
>
>
> ----- Original Message -----
> From: "McClure, Allen" <Allen.McClure@Yum.com>
> To: "Gracie Pereira" <goa0201@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Thursday, October 02, 2003 10:33 AM
> Subject: RE: ROuter Reboot due to Virus !!
>
>
> > Depends which virus you're talking about, but in general it's a memory
> > issue related to the quantity of half-open connections being
> generated.
> >
> > For TCP connection issue, you might try TCP Intercept. I've
> recommended
> > its deployment here, but we're shy on code/dram on many routers. Not
> > sure if that'll help, but I'm betting it will considering how many
> > half-opens I'm seeing when these things are active.
> >
> > For the ICMP ones, you might try blocking anything specific that you
> can
> > isolate about the virus. If I remember correctly, Welchia utilizes
> > 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> > operation. Rate-limiting ICMP is also something we're considering.
> >
> > We're using a combo of PIX Firewalls and FW-1 running on SunOS. The
> Sun
> > buckles quite harshly when a virus gets on even a single internal
> > system.
> >
> > Allen G. McClure
> > CCNP/CCDP/MCSE
> > Yum! Brands, Inc.
> > Sr. Network Analyst
> > allen.mcclure@yum.com
> >
> >
> >
> >
> > -----Original Message-----
> > From: Gracie Pereira [mailto:goa0201@yahoo.com]
> > Sent: Thursday, October 02, 2003 8:41 AM
> > To: ccielab@groupstudy.com
> > Subject: ROuter Reboot due to Virus !!
> >
> >
> > HI everybody,
> >
> > We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> > due to recent virus attacks , the router keeps rebooting . after
> staying
> > up
> > for couple of hours , we tried blocking the virus ports ..but no help.
> >
> > Its now affecting couple more routers.Is there any way to stop it
> before
> > the router gets affected and start reloading on it own.
> >
> > Trying a lot of possibilites . If anyone has any recommendation to
> this
> > issue
> > pls share the info..
> >
> > thanks
> > goa0201
> >
> >
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > This communication is confidential and may be legally privileged. If
> you
> are not the intended recipient, (i) please do not read or disclose to
> others, (ii) please notify the sender by reply mail, and (iii) please
> delete
> this communication from your system. Failure to follow this process may
> be
> unlawful. Thank you for your cooperation.
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3