[nsp] Nachi WORM & ICMP floods of ICMP packets ..
Kevin Kincaid
KKincaid at classmates.com
Mon Sep 8 12:02:55 EDT 2003
Greetings-
Cisco had an online seminar last week regarding this specific issue. I
copied the Q & A session from that seminar. I hae pasted it inline/below in
this email.
Hopes this helps a bit.
BEGIN NOTES
==========================================================================
Thought this was worth a peek.. IT is the Q & A sessio from the web seminar
Cisco had today called "combating the blaster worm".
Question: 97
How is CSA licensed?
Answer: 97
CSA is licensed by machine(servers & desktops). A VMS 2.2 license is also
required for the management of CSA hosts.
Question: 96
What is the Cisco Security Agent, and where can I get it? Can I download it?
Answer: 96
http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
Question: 95
how does this differ from Entercept HIDS?
Answer: 95
It differs in a few ways. It does prevention on both servers and desktops
where Entercept is only for servers. It also is purely behavior based and
has no signatures. Another big difference is the fact that it protects the
endpoints against network type attacks which Entercept does not.
Question: 94
would blocking port 135 and 139 on UDP and TCP impact a user that is
remotely connected to the network via VPN?
Answer: 94
Yes it would. It would impact the ability of the user to access Windows
network services. Some of these service locations will be cached from the
time the user is directly connected to the local network verses over the
VPN. You may also consider hard-coding this information in the LMHOSTS file.
Question: 93
Does IDS has an automatic process in getting the signatures?
Answer: 93
Yes. IDS sensors can be setup to download their service packs at preset
times through the IDS MC under VMS.
Question: 92
We have many users who access windows shares through an intranet firewall,
who keep loosing and regaining access to those shares. Could this be a sign
of virus or worm activity? Using a sniffer, what are the tell tale signes
that an attack is going on?
Answer: 92
You need a IDS system to look into the payloads of these packets to be more
sure. In general, its not a good idea to access windows shares through a
firewall unless both sides of that firewall are trusted subnets.
Question: 91
What do you do when you have Cisco products that do not allow Microsoft
patch to be applied such as Call Manager? ie You have to wait for a fix from
Cisco, because it is stressed to not apply patches, except from Cisco.
Answer: 91
CSA is now certified on Call Manager.
Question: 90
How can I download the questions and answers to reference offline?
Answer: 90
Questions and answers will be posted on the interface as a downloadable pdf
when the event is archived.
Question: 89
We used MLS flows to monitor ICMP traffic and track the Nachi work but this
is a manual process. Is their a way to automate this?
Answer: 89
Cisco NetFlow in conjunction with tools/product such as Arbor Networks (a
Cisco development partner) anomaly-detection system is useful in this arena
- see
http://www.cisco.com/en/US/tech/tk648/tk362/tk812/tech_protocol_home.html
and http://www.arbornetworks.com for more information.
Question: 88
Is the Cisco Security Agent act as IPS
Answer: 88
Yes.
http://wwwin.cisco.com/issg/vsec/products/csa/csa_datasheets.shtml
Question: 87
What are the performance consequences of running NBAR, particularly in
respect to a large set of infected systems?
Answer: 87
This varies, based on platforms (some, such as the C6500 have hardware
support available), as well as the actions taken. The most efficient use of
NBAR is to use QoS, setting both the conform and exceed actions to drop.
This will result in a <10% increase in CPU utilization on a 7206.
Question: 86
what are the key points for IDS throughout the system?
Answer: 86
Excellent and complex question. The Cisco SAFE team will be delivering a
document on IDS best practices next week. Please check www.cisco.com/go/safe
next Friday.
Thanks - good question
Question: 85
For a group of servers (~35), would CSA be preferred, or Okena Stormwatch ?
Answer: 85
Cisco Security Agent 4.0 is the latest version of OKENA StormWatch.
StormWatch 3.2 is no longer shipping.
Question: 84
How does the CSA software prevent the Blaseter without need an updated
signiture. How does is differentiate between legitimate MS traffic and not ?
Answer: 84
CSA does not use any signatures at all, it is completely behavior based. The
behavior that blaster had is the same as many worms have been and will be.
After trying to come out of the buffer overflow it tries to inject its code.
This behavior is bad behavior and is stopped. Legitimate traffic would not
be trying to do this as it is clearly malicious.
Question: 83
How do I obtain a copy of CSA?
Answer: 83
You request an evaluation of VMS 2.2, which includes the CSA software:
http://www.cisco.com/cgi-bin/tablebuild.pl/vms
You also request a CSA evaluation license key:
http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl
Question: 82
Can you explain the use of netflow in more detail. Im not to familiar with
it.
Answer: 82
Cisco NetFlow is a technology which allows one to see network flows, or
converations, as they pass through Cisco routers and switches. This
technology has a number of uses in the fields of traffic characterization,
anomaly-detection, etc. - please see
http://www.cisco.com/en/US/tech/tk648/tk362/tk812/tech_protocol_home.html
for more details.
Question: 81
Whats the best way to find Cisco consultants/technicians in my area?
Answer: 81
Id suggest using the Cisco Partner Locator Tool online to locate resellers
and partners in your area:
http://tools.cisco.com/WWChannels/LOCATR/jsp/partner_locator.jsp
Question: 80
Can the new Sup720 for the 6500 filter based on packet size without passing
off to the CPU?
Answer: 80
No, once you look into packet payload and things of the like, you pass to
cpu.
Question: 79
Am I exposed to this worm if I do not block outbound connections via the
Firewall over the mentioned ports?
Answer: 79
Yes. These worms (Nachi or Blaster) may make inbound connection attempts
against your network. Thus you need to block these ports inbound as well.
For more information on filtering please refer to the SAFE Blaster
mitigation white paper at
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 78
Will Cisco Secure IDS slow down our network if fully implemented?
Answer: 78
Network based Cisco Secure IDS is passive andwill have no effect on your
network. Host based IDS called Cisco Security Agent, will add 3% CPU usage
to a host or server but so far has stopped all the major worms, blaster,
code red, nimda and slammer.
Question: 77
Can CSA interfere with normal day to day operation of a server? i.e.
possibly preventing something from happening that should happne?
Answer: 77
The policies have been carefully constructed to avoid blocking legitimate
activity. It is also easy to tune the policies to the local environment.
Agents can run in "Testmode" which alerts but does not block behavior. The
policy tuning wizard helps automate policy tuning so that policies are
adapted in a sensible, best practices manner.
Question: 76
To date, have any viruses specifically attacked Cisco IOS based equipment?
Answer: 76
No. However, we have seen adverse behavior on some devices. For instance, on
our 600 Series CBOS routers, they were affected by CodeRed, not because
CodeRed targeted them or that they run Microsofts IIS web server, but
because the web server code on that platform had a bug in it which it could
not handle the HTTP request that the CodeRed worm was sending. To date, no
worms to our knowledge have specifically targeted the Cisco IOS platform.
Question: 75
What is the difference between... NBAR and CSIDS when dealing with worms?
Answer: 75
NBAR is a mechanism for marking network traffic based upon
application-/service-specific information. Ciscos IDS products provide
detection and notification of potentially undesireable activity on the
network.
Question: 74
Would diligent patching procedures have helped prevent Blaster and its
variants from spreading? What products aside from Windows Auto Update can
help with patching?
Answer: 74
Diligent patching is always recommended, but is often administratively
cumbersome. If just one new patch comes in each week, can your network
productivity sustain the downtime required to apply and reboot the patch.
One strong arguement towards implementing CSA is the ability to
manage/modify profiles on the fly, to protect servers from time-zero, while
allowing you to adopt a routine vs. reactive patching schedule.
Question: 73
hwo do i deploy Cisco security agent on my net work?
Answer: 73
Cisco Security Agent can be deployed on your network in a few ways. You can
bury it in a log in script, distribute it through traditional methods such
as SMS, you can email an executable, or you can have the end user go to a
webpage and download the executable. You could also manually install it with
a CD
Question: 72
Will CSA block valid requests / actions by legitimate programs?
Answer: 72
It is policy tuning issue, and there are tools to assist you in this tuning
such as the profiler feature.
Question: 71
IS there a way to use vlans in order to contain a worm within you network?
Answer: 71
Private VLANS can contain the worm just to that VLAN. Standard layer two
VLANs are subject to infection as they provide no filtering of data. Bet
bets are to install the patch and check the following URLs to see what can
be done from a network perspective.
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186
a00801aedd6.shtml.
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 70
Port 135 & 139 is used by Netbios & FTP. Blocking this traffic means
shutting down MS Windows client and server. Thus, stopping people to work.
What is the other alternative to block the traffic instead of blocking Port
135 & 139?
Answer: 70
Ports 135 and 139 are used by NetBIOS; ports 20 and 21 are used by FTP.
Blocking NetBIOS ports would be problematic, especially if you rely on
Microsoft Windows Networking (i.e. Disk shares, WINS, etc.). The only
alternative to blocking ports 135 & 139 (if your dependence on them is
critical to your network operations) is to keep all of your systems up to
date on patches.
Question: 69
What are the ISPs doing to help prevent the speading of these attacks?
Answer: 69
Different service providers have different approaches to handling DoS
attacks in general; the best source of information on this subject is the
specific service provider(s) you are using.
Question: 68
Can the attack window by a worm be reduced by having the PC turned off when
not in use ?
Answer: 68
It absolutely can be reduced. Any time that the machine is unavailable it
cannot be infected. However, depending on downtime of the machine to prevent
infection is a poor strategy, because that could interfere with other
mitigation and prevention strategies like regularly scheduled updates at a
certain time of day.
Question: 67
Can CSA be used to enforce antivirus compliance (installed, running and
current defns and reasonably recent scan) on desktops and dialup/vpn users?
Answer: 67
CSA provides protection against attacks for which there is no antivirus
signature (Day Zero worms and viruses). While detecting the presence of
antivirus clients is a future enhancement, CSAs Day Zero protection will
prevent outbreaks of worms like Blaster.
Question: 66
Does CSA stop you from running CMD period?
Answer: 66
By default we prevent CMD from being spawned by certain applications. This
prevents malicious code from being executed on your system. CSA also
provides the flexibility to tailor security policies to your unique
environment. You could have a rule in place to prevent CMD from running on
your hosts entirely.
Question: 65
Does the blaster worm effect individual hard drives?
Answer: 65
NO- blaster installs its self in a system directory and runs from there. It
doesnt spread to other disks only other computers.
Question: 64
IS the CSA a standalone software that act without refering to a server?
Answer: 64
The CSA is not a stand alone product. It is centrally mangaged from Ciscos
management console, which is called VMS.
Question: 63
What is NBAR?
Answer: 63
Network Based Application Recognition is a feature build into Cisco routers
which allows traffic to be marked based upon application-/service-specifc
bases, and then dropped/shaped/policed using various QoS and/or ACL
mechanisms. See http://www.cisco.com/warp/public/732/Tech/qos/nbar/ for more
information.
Question: 62
We got hit by the Welch on Monday MORNING and Symantec RELEASED the fix
Tuesday in the afternoon...what to do if there is no FIX available YET???
Answer: 62
Antivirus scanners only protect against known attacks, for which a signature
has been created and deployed. Other approaches (for example, CSAs behavior
analysis) must be used to stop new attacks for which there is no signature.
Question: 61
If a home computer is connected to your company network with VPN, can the
worm spread to the company network?
Answer: 61
If the home computer is infected when it connects to the VPN, then yes, it
is possible. As shown on the SAFE blueprint, it is desirable to place remote
access VPN resources into a DMZ to allow traffic inspection of VPN traffic
(post-decryption), prior to its accessing the network.
Question: 60
What relevance does the 92 byte ICMP packet have in relation to propagation
of the Blaster worm variant?
Answer: 60
The 92-byte ICMP packet has no relevance to the Blaster worm, as this was a
traffic signature for the Nachi worm. However, in our testing, no standard
ping utilities, which generate ICMP echo requests, generated 92-byte packets
by default. Knowing that unique behavior of the worm helps to identify that
those 92-byte ICMP packets likely came from a Nachi worm infected host.
Question: 59
Is CSA supported on Windows 2000 Server, SP4. The doc I read only referenced
SP3.
Answer: 59
This month we will be releasing CSA v4.01 and SP4 will be supported in this
release.
Question: 58
Is Cisco Secure IDS the "Final" solution in preventing worms from
entering/spreading in cisco networks
Answer: 58
No. Cisco IDS is reports errors onthe network and requires an admin to clean
up after. Cisco Security Agent, is the end all. It runs on hosts and stops
the activity that propoagtes the work. IE: This worms starts with a buffer
overflow CSA will stop the overflow and the attack can never take place.
Question: 57
Will the current patch for the worm detect and remove vulnerabilities for
the variants?
Answer: 57
The current patch for the vulnerability that the worm exploits also prevents
infection from any worm variants. The vulnerability is the same across the
variants therefore one patch will stop Blaster and its variants.
Question: 56
How does CSA differ from personal firewalls such as ZoneAlarm?
Answer: 56
CSA provides personal firewall capabilities (for example port blocking).
However, it also protects applications that are allowed to communicate on
the network - such as web browsers, email clients, etc. Worms that target
vulnerabilities in these desktop applications can be mitigated with CSA.
Question: 55
Blocking port 135 is fine for containing the worm, but it also breaks some
windows 2000 server functionality. With hundreds of servers ACLs are
difficult to manage. Any suggestions going forward on battling worms that
use needed ports/services?
Answer: 55
The Cisco Security Agent allows you block any ports on hosts. However
blocking attacks on ports is not the only method of preventing damage. CSA
provides "defense in depth" by providing layers of protection. For example,
CSA prevented Blaster from spawning a command shell and executing its
payload.
Question: 54
My company use the port 135 to run a private application what can I do
without stopping the process in company
Answer: 54
In cases where access to well-known ports such as TCP/UDP 135 is required
for remote sites via the Internet, Virtual Private Network (VPN) technology
may provide a more secure solution. Please see
http://www.cisco.com/en/US/netsol/ns110/ns170/net_solution_home.html for
more details.
Question: 53
What is the effect of applying the ACL to the outside interface of a 1721
with firewall featureset and vpn tunnels terminating on the outside
interface?
Answer: 53
Cisco extended ACLs are fast switched, no real performance impact.
Question: 52
Should we be concerned with giving the developers of worms more knowledge
when pointing out flaws in the virus?
Answer: 52
This is always a concern since the risk is there that the virus/worm author
could fix their code and release a new variant. However, one benefit of
pointing out the deficiencies in the virus/worm can help system and network
admistrators to effectively mitigate the virus/worm by taking advantage of
weaknesses in it.
Question: 51
Relative to mitigation methodology.....should you identify the worm as step
one, before moving to containment?
Answer: 51
No, you should contain the infection as quickly as possible. Identification
of the worm is the next step once you have stopped the infection from
spreading in your network or beyond.
Question: 50
Can I download slideshow at the end of seminar ?
Answer: 50
The presentation can be downloaded by clicking on the "Presentation
Download" button in the upper left of the interface.
Question: 49
Is there a command on the PIX to pinpoint what machines are infected with
the Nachi worm? I noticed my global IPs on my PIX depleting and I had to
clear xlate every hour.
Answer: 49
You could log ICMP connection attempts above any reasonable number of
attempts, say greater than 50/minute. The resulting report would provide a
list the infected hosts. Tools in VMS such as SIMS would simplify this task.
Question: 48
what happend if you put access list on your oeriferical routers and the
traffic than go througt them is too high ?
Answer: 48
If the traffic rate it too high the CPU usage on the router will increase,
which slows down the router. In most cases this doesn;t happen because ACL
code runs in ASICs on the input queue. If you have slowing you need to allpy
NBAR from your ISP to rate limit traffic. See Cisco PSIRT and SAFE
announcements at the following URLSs.
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186
a00801aedd6.shtml. For additional information please see the SAFE response
at
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 47
Patch management is a huge concern. The sheer volume of patches (Microsoft)
that are released (almost daily), dictates testing must be done before
patching takes place on production. Has anyone discovered intelligent ways
to manage teh process?
Answer: 47
Patch management is a huge problem for two reasons:
1. The volume of patches (and the urgency of security patches) forces
emergency update efforts. This is expensive and disruptive.
2. Some patches cause critical applications to fail. This forces a choice
between remaining insecure and causing appliation failure.
A defense in depth that blocks day zero attacks (such as CSA) does not
remove the need to patch, but does allow a longer period to test the patch
to ensure that it is safe. By protecting against attacks before the patch
can be deployed, patching efforts can be addressed in a more organized
manner.
Question: 46
My ISP requires me to leave ICMP open for a set of IPs they are giving me so
that they can ping my Internet connection status at all time. If I open to
those IPs only am I protected? They gave me for IPs that end with /24, and
/23.
Answer: 46
If you can define which IP addresses, all the better. But just because you
need to be pingable, does not mean you should accept all ICMP messages. The
only ones you should really give consideration to are: echo, echo reply,
time-exceeded, packet-too-big, traceroute, and unreachable.
Question: 45
is there an effective way to prevent proper traffic from those that may be
generated from an infected system?
Answer: 45
Infected systems should have their switch ports disabled prompting a
quarantine until they have been cleaned. Cisco Network IDS can prevent the
malicious traffic automatically. Make sure Signature update 51 has been
installed on Cisco IDS
Question: 44
What can you tell me about Committed Access Rate for network security?
Answer: 44
CAR, Traffic Policing, and other QoS-type mechanisms are useful tools - see
http://www.cisco.com/en/US/products/sw/iosswrel/ps1820/products_feature_guid
e09186a00800f4890.html and
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guid
e09186a008008044c.html for more details.
Question: 43
How can we tell if backdoors have been setup on our systems?
Answer: 43
There are various software packages that you can use to determine if a
backdoor has been setup on your systems. One simple way would be to use a
port scanner to scan your systems and look for any open ports that are "out
of the ordinary". This requires you to have a good knowledge of which ports
should normally be open on your system. Other software to consider would be
Nessus which can identify potential backdoors. Also, check out the open
source software: chkrootkit @ http://www.chkrootkit.org
Question: 42
what is trojan horse
Answer: 42
A trojan horse is defined as as a malicious, security-breaking program that
is disguised as something benign.
Question: 41
How are Internet worms spread from one location so rapidly?
Answer: 41
Worm replicate themselves exponentialy. First one machine is infected, then
two, then four then sixteen. Once infected all machines spread to several
other machines. Keep an eye on security advisories and patch appropriately
ASAP.
Question: 40
What are the advantages of Cisco IDS as opposed to open software such as
Snort?
Answer: 40
Cisco NIDS and Cisco HIPS will send reports back to the same console. Cisco
HIPS uses a set of behavioral rules which can work in a signatureless way to
prevent malicious code excution. Snort does not do this.
Question: 39
Has Cisco aquired any products of late that will work as an inline IDS such
as Intrusion Prevention technology that Entercept uses?
Answer: 39
Cisco has a product called Cisco Securit Agent which was formerly the Okena
product. Unlike Entercept it covers desktops as well as servers and is
purely behavior based
Question: 38
When using the vpn client with a dialup account what is the best way to
protect the host computer?
Answer: 38
The Cisco Security Agent works with the VPN client (via Are You There, or
AYT). The VPN can make sure that the CSA is present before the tunnel is
enabled. The CSA provides protection against the Blaster and other worms.
Question: 37
How can we get the most current security information from Cisco during a
virus event?
Answer: 37
Ciscos Product Security Incident Response Team (PSIRT) provide the most
current information regarding network security issues, fixes, etc. as they
apply to Cisco products. Please see
http://www.cisco.com/warp/public/707/advisory.html for more details.
Question: 36
Is Blaster worm is only attack through email attachment?
Answer: 36
Customers that have previously applied the security patch MS03-026 before
today are protected and no further action is required. IMPACT OF ATTACK:
Spread through open RPC ports. Customers machine gets re-booted or has
mblast.exe exists on customers system. TECHNICAL DETAILS: This worm scans a
random IP range to look for vulnerable systems on TCP port 135. The worm
attempts to exploit the DCOM RPC vulnerability patched by MS03-026. Once the
Exploit code is sent to a system, it downloads and executes the file
MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Question: 35
Is Cisco Security Agent available on CallManager
Answer: 35
Cisco Security Agent for call manager is available in beta
Question: 34
Is it feesible to say that a worm that could patch numerous systems would be
a good thing? Should an organization be created to address these things?
Answer: 34
In general it could be a good thing but in most cases especially the case of
blaster the good worms reboot the system. This has lead to folks losing
unsaved data on thier computer. I would be surprised to hear that someone is
trying to figure out how to do this and not impact the end user.
Thanks
Question: 33
Using cisco, is there a way to either register machine addresses on the
network so that new machines that attempt to connect do not.
Answer: 33
There are multiple answers to this question. You can use port security on
switches to lock specific MAC addresses to specific ports. There are a
number of recent features within Catalyst switches to prevent other L2
attacks, such as DHCP, GARP, and STP attacks. But, you may wish to consider
802.1X authentication, which requires hosts/users to authentication
themselves to their network port (or Access Point, in the case of wireless
devices), prior to VLAN assignment and enabling the port to forward traffic
to the rest of the network.
Question: 32
Is there a Microsoft security patch that is cummulative or do I have to find
each individual path?
Answer: 32
You would need each individual patch.
Question: 31
What actions, specifically, would Cicso IDS products have been able to take
upon seeing attack traffic from the Blaster worm? And would they have been
able to detect it at all?
Answer: 31
Cisco Network IDS products could generate an alarm that would be visible
either on IEV or on SecMon in VMS. Depending on whether the default
signature for the exploit the worm used was tuned or not you could have the
IDS sensor transmit TCP resets or apply shuns or blocks to firewalls and
router to block incoming worm traffic. On the Host Intrusion Prevention
side, Cisco Security Agent prevents the worm exploit code from succeeding
and thus prevents the worm from infecting a host. CSA would detect the
actions of the worms, Cisco IDS sensors would detect the worm so long as the
signature for the worms exploit was in the signature pack. This underscores
the imporatance of keeping up to date on the signature packs.
Question: 30
How effective is scheduling OS updates and anti-virus/worm scans and
updates?
Answer: 30
Antivirus scans are only effective against known attacks, so there is a lag
between when an attack is launched and when an update is available.
OS updates are only effective against known vulnerabilities. Sometimes
patches cause applications to break, so testing is critical to prevent a
self-imposed denial of service from a poorly tested patch.
Question: 29
What exactly is the no ip unreachables command for pertaining to the "Nachi
worm mitigation"?
Answer: 29
Turning off IP unreachables is needed because when packets are denied by
access-lists, an ICMP error message is generated and sent to the source IP
address. This creates load on the device to generate the reply, it doubles
the network traffic (1 reply per request received), and in the case of
spoofed traffic may be directed to a network other than the true source of
the request.
Question: 28
Can the collection of Netflow statistics for TCP 135 or ICMP be automated
using telnet or SNMP scripts or does a better tool exist?
Answer: 28
No Netflow is best for this.
Question: 27
Would the traffic generated by these worms cause me to not be able to telnet
into a router?
Answer: 27
It is possible extremely high packet loads caused by these worms could cause
slow response times on Cisco routers. There do exist however best practices
for changing the IOS scheduler settings in cases where devices may be DDoS
susceptible. This will schedule the console/telnet threads at a higher
priority thus guaranteeing administrative access. A new IOS feature in 12.3
called Autosecure automates this router hardening for you.
Question: 26
Has Cisco release a Network monitoring product to watch for unusual traffic
like worms?
Answer: 26
Ciscos IDS products are very useful in this regard; also, Cisco partner
Arbor networks has developed an anomaly-detection system which makes use of
Cisco NetFlow and RSPAN to provide additional functionaloity. See
http://www.cisco.com/en/US/tech/tk648/tk362/tk812/tech_protocol_home.html ,
http://www.cisco.com/en/US/products/hw/vpndevc/index.html , and
http://www.arbornetworks.com for more information.
Question: 25
Can you tell me what commnads I would use to redirect http requests from
infected machines to a web page telling the users they were infected. I was
thinking of using a list of known infected IP addresses. Thanks!
Answer: 25
Cisco has more than one product that can do this. Please specify what
product you want to do this with Cisco CSS, etc
Question: 24
How do you protect your network from infected machines connecting through a
VPN?
Answer: 24
The best thing to do with VPN is to terminate the tunnel in from of the
firewall and then block the port described in the PSIRT announcement. 135,
444 and udp 69. This should keep the worm from spreading further. Make sure
to apply the MS patches.
Thanks
Question: 23
Did the Cisco HIDS solution find, alert and eliminate the Blaster worm and
all the variations?
Answer: 23
Cisco HIDS(Cisco Security Agent(CSA)) detected, alerted and most importantly
prevented the compromise of hosts. CSA default policies provided protection
against Blaster and all of its variants without the need of any updates or
signatures.
Question: 22
Is the use of personal firewalls recommended (in conjunction with antivirus
tools) to block worms?
Answer: 22
A personal firewall would not be effective in stopping exploitation of an
application that is allowed to use the network. For example, the Blaster
worm targeted Microsoft file sharing, which (in a corporate environment) is
frequently an authorized function. Intrusion Prevention (for example, as
provided by the Cisco Security Agent) will prevent authorized applications
from being subverted by a Day Zero attack.
Question: 21
NAT translation shows ICMP on port 1024 (and other ports). How do I find
what ICMP type that is?
Answer: 21
You cannot tell the ICMP type from the output of "show ip nat translation".
The output from that command only lists the protocol. The "port" that is
shown in the output is actually an identifier within the ICMP packet that
does not directly correspond to the ICMP type, such as echo or echo-reply.
Question: 20
Can Blaster and follow-on worms be blocked using firewalls to protect hosts
and/or network devices?
Answer: 20
Yes - see
http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml for
more details.
Question: 19
What tools do you have to challenge devices before they attach to a CISCO
switch?
Answer: 19
802.1x authentication will challenge devices before they are are allowed
onto a switch. See documentation on the www.cisco.com for a full explanation
of versions and platforms supported.
Thx
Question: 18
What about NBAR?
Answer: 18
NBAR will help mitigate worms see
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186
a00800fc176.shtml
Question: 17
what is the difference between a virus and a worm?
Answer: 17
A virus is a piece of code that attaches itself to another document or
program and executes when that document or program is opened. A worm is a
typically a self-contained program that can infect other systems on its own
and then copy itself over and continue the infection. Like their biological
equivalents, viruses require "vectors" or something to carry them from one
system to another.
Question: 16
What does Cisco have as a product that will address this issue?
Answer: 16
The Cisco Security Agent stopped the worm with the default server and
desktop policies.
Question: 15
In Cisco IOS, is there a way to filter ICMP packets containing specific
payload data?
Answer: 15
Assuming that you are using an extended ACL, you can create ACL entries for
specific ICMP message types.
Question: 14
What are specific protection rules provided by the Beta CSA for callmanager?
Answer: 14
The CSA defense in depth policy provides several ways that the Call Manager
policy stops the Blaster worm:
SVCHOST.EXE is blocked from accessing CMD.EXE
SVCHOST.EXE is blocked from executing CMD.EXE
TFTP.EXE is blocked from downloading the worm code.
Downloaded worm code is blocked when it tries to execute.
Note that this was tested in "TestMODE" (where actions are logges, but not
blocked). If you are running in protect mode, only the first event would be
seen, as the worms chain of execution would be stopped then.
Question: 13
Can QOS be used to limit a blaster type of worm from running your network
into the ground?
Answer: 13
In some cases, yes - for Nachi mitigation using a variety of techniques, see
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml for more
details.
Question: 12
Is there an easier way, besides sniffing, to find which computers on network
have the blaster worm?
Answer: 12
You can tell if you?ve been affected by looking at you XP and 2000 systems.
Look at processes in the task manager. If you see MSblaster in the list you
are infected. Down load the patch from the Microsoft site, and implement
Cisco changes described in
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 11
How can you tell if you have been infected?
Answer: 11
You can tell if you?ve been affected by looking at you XP and 2000 systems.
Look at processes in the task manager. If you see MSblaster in the list you
are infected. Down load the patch from the Microsoft site, and implement
Cisco changes described in
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 10
NBAR was effective against CODE RED. Is it appropriate for use against
current worms?
Answer: 10
NBAR is effective as a tactical tool, to block malicious packets while you
are patching or otherwise establishing defenses against a worm. It does
require some type of match value which is unique to the worm. For example
CODE RED we can use an HTTP match on default.ida. With Blaster, we look for
SQL packets of a specific length.
Question: 9
Please explain the why blaster causes traceback errors from process IP-EIGRP
Router and how to correct the problem. Thanks.
Answer: 9
The Blaster worm does not directly cause tracebacks errors on Cisco routers
- if you are seeing such errors on routers, please open a case with Cisco
TAC for further investigation and remediation.
Question: 8
As part of mitigation, is there a way to stop your network from being probed
with applications like Saint or Nessus?
Answer: 8
Not entirely. The amount of probing can be controlled but not 100%
eliminated It depends on how you have your edge device configured. If your
edge device is a router you can set up an Access Control List (ACL) that
only allows access to specific ports on specific servers on your network.
This helps reduce the amount of probing someone attempts against your
servers by providing access only to ports that you have selected.
Unfortunately it does not eliminate probing against those services. If you
then add an IDS sensor behind the router and monitor the traffic coming
through the router you can have the IDS box block traffic that it identifies
as malicious by setting adding to the ACL in the router.
Question: 7
Will the worm blast will come back after you have solved the problem?
Answer: 7
the worm will linger for some time. recommend the Microsoft patch and
implementing best practices described in Cisco PSIRT announcement
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186
a00801aedd6.shtml. For additional information please see the SAFE response
at
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutio
ns_white_paper09186a00801b2391.shtml.
Question: 6
What installing a Firewall I know that certain ports need to be open and
others closed. Are there some ports in particular that these worms attack
when coming thru a Firewall? Ports that maybe I can shut down?
Answer: 6
Firewalls typically by default are configured to deny all and allow by
exception. However, you should verify that only those ports which need to be
open to external networks are open. Some commonly needed ports are DNS
(UDP/TCP 53), SMTP (TCP 25), and HTTP (TCP 80).
In the case of Blaster, the ports which it relied on were port 135 TCP, port
4444 TCP, and port 69 UDP. In most enterprise environments, there is no need
to open those ports for external access.
Question: 5
Using ACLs to block and count icmp attemts, can you automatically get count
updates via snmp instead of "show access-list"?
Answer: 5
I am not familiar with any MIBS that supports this, but I would rather use
netflow to do this.
Question: 4
Please elaborate on the effectiveness of denying ports 135-139.
Answer: 4
The exploit that the worm used required that it be able to connect the
NetBIOS ports on the target system. These ports are ports 135-139 both TCP
and UDP. By denying access to those ports you effectively prevent the worm
from executing the exploit against vulnerable target system. This was a very
effective method of preventing the worm from spreading.
Question: 3
How did the worm virus get through the firewall?
Answer: 3
Unfortunately, worms propagate by appearing as normal traffic. For example,
if a FW allows access to a web server via HTTP (TCP port 80), and the worm
appears to be a valid HTTP GET request, then the worm traffic flows through
to the server. This nature of worms requires the use of intrusion detection
products and/or other content inspection engines (such as NBAR) to combat
effectively.
Question: 2
Is it possible to limit the number of NAT translations per inside global IP
address in IOS? We saw issues with NAT resource exhaustion due to outbound
ICMP caused by the Nachi worm which propagated using the same mechanism as
Blaster.
Answer: 2
Yes - the command ip nat translation max-entries allows a limit to be set.
See
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00
80091cb9.shtml for more details.
Also, the PIX can limit the number of NATted connections - see
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_refer
ence_chapter09186a00801727ab.html#1032127 for more details.
Question: 1
How do you find and iliminate viruss such as the lovegate?
Answer: 1
Antivirus vendors have provided updated signatures for these viruses.
Updating antivirus signatures and performing a file system scan will
identify known virus infections.
END NOTES
==========================================================================
-----Original Message-----
From: Brian R. Watters [mailto:brwatters at abs-internet.com]
Sent: Wednesday, September 03, 2003 4:41 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Nachi WORM & ICMP floods of ICMP packets ..
Importance: High
Hello All,
What is everyone out there doing for the affects of the Nachi
WORM?? .. We
have many many clients that are infected as well as of course
getting HIT
from the world with these floods of ICMP pings .. Attempting to
drop these
packets via a policy route map kills the CPU on the router
(7206VXF NPE-300
with full Memory) and of course using a ACL to drip ICMP kills
our ability
to PING as well as our many clients who have IT staff OFFNET to
look into
there networks via PING .. It also kills our internal monitors of our
clients .. Anyone have any ideas? .. We can't be the only folks
getting this
..
Brian
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list