From: Jim Newton (jnewton@internetnoc.com)
Date: Thu Oct 02 2003 - 16:21:56 GMT-3
Sorry, it should read
route-map worm permit 10
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Jim
Newton
Sent: Thursday, October 02, 2003 1:52 PM
To: Kenneth Wygand; Kurt Kruegel; McClure, Allen; Gracie Pereira;
ccielab@groupstudy.com
Subject: RE: ROuter Reboot due to Virus !!
It is not really an acl, it is policy routing
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
match ip address 199
match length 92 92
set interface Null0
on the interface-
ip policy route-map worm
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Kenneth Wygand
Sent: Thursday, October 02, 2003 1:44 PM
To: Kurt Kruegel; McClure, Allen; Gracie Pereira; ccielab@groupstudy.com
Subject: RE: ROuter Reboot due to Virus !!
I don't think you can filter based on packet length with Cisco IOS (that
would be neat though).
I think your only choice is to block all ICMP echo's until you clean all
your systems - if the source address is not spoofed in the ICMP echo
packet, you should be able to determine exactly which hosts the attack
is originating from.
Keep us informed...
Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
Custom Computer Specialists, Inc.
"It's not just about ending up where you want to be, it's about making
the most of the trip there."
-Anonymous
-----Original Message-----
From: Kurt Kruegel [mailto:kurt@cybernex.net]
Sent: Thursday, October 02, 2003 2:29 PM
To: McClure, Allen; Gracie Pereira; ccielab@groupstudy.com
Subject: Re: ROuter Reboot due to Virus !!
here's a welchia ping captured from the analogx packet sniffer and yes
it's
92 bytes
08 00 79 05 02 00 27 A5 AA AA AA AA AA AA AA AA ..y...'.........
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ................
AA AA AA AA AA AA AA AA
........
from symantec
Protected machines will not be infected, so the traffic above will not
always take place. But as long as you can sniff the pings, you can tell,
with good reliability, whether the ping request originates from Welchia,
by
looking at the ping payload, which is filled with 0xaa.
This is a complete dump of a Welchia ping request:
11:47:47.576542 169.254.56.166 > 169.254.189.84: icmp: echo request
0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.
0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....
0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............
one other thing i did to detect scans was place a 2600's ethernet on
the
network
and debug ip icmp with buffered logging.
it logs all the echo-relpies to all hosts.
so what does an access-list line look like that blocks only 92 byte icmp
packets ?
----- Original Message -----
From: "McClure, Allen" <Allen.McClure@Yum.com>
To: "Gracie Pereira" <goa0201@yahoo.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 02, 2003 10:33 AM
Subject: RE: ROuter Reboot due to Virus !!
> Depends which virus you're talking about, but in general it's a memory
> issue related to the quantity of half-open connections being
generated.
>
> For TCP connection issue, you might try TCP Intercept. I've
recommended
> its deployment here, but we're shy on code/dram on many routers. Not
> sure if that'll help, but I'm betting it will considering how many
> half-opens I'm seeing when these things are active.
>
> For the ICMP ones, you might try blocking anything specific that you
can
> isolate about the virus. If I remember correctly, Welchia utilizes
> 92-byte ICMP echos. Easy enough to drop without impacting normal ICMP
> operation. Rate-limiting ICMP is also something we're considering.
>
> We're using a combo of PIX Firewalls and FW-1 running on SunOS. The
Sun
> buckles quite harshly when a virus gets on even a single internal
> system.
>
> Allen G. McClure
> CCNP/CCDP/MCSE
> Yum! Brands, Inc.
> Sr. Network Analyst
> allen.mcclure@yum.com
>
>
>
>
> -----Original Message-----
> From: Gracie Pereira [mailto:goa0201@yahoo.com]
> Sent: Thursday, October 02, 2003 8:41 AM
> To: ccielab@groupstudy.com
> Subject: ROuter Reboot due to Virus !!
>
>
> HI everybody,
>
> We manage cisco 3660 routers with ver 12.2(2) XB5 version.
> due to recent virus attacks , the router keeps rebooting . after
staying
> up
> for couple of hours , we tried blocking the virus ports ..but no help.
>
> Its now affecting couple more routers.Is there any way to stop it
before
> the router gets affected and start reloading on it own.
>
> Trying a lot of possibilites . If anyone has any recommendation to
this
> issue
> pls share the info..
>
> thanks
> goa0201
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3