[c-nsp] PIX-virus-DoS-connection problem

Church, Chuck cchurch at netcogov.com
Thu Nov 11 14:38:18 EST 2004 

48 pps is a pretty non-demanding DOS.  I wouldn't bring even a 2501 to
it's knees.  Sounds more like a bug than anything else.  Maybe try 6.3.3
or 6.3.4?  I've had good luck with both at various locations.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcelo Maraboli
Sent: Thursday, November 11, 2004 2:21 PM
To: Cheung, Rick
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX-virus-DoS-connection problem

Rick

The anti-spoof feature is not through ACLs, but an Internal PIX
feature in 6.2(2):

ip verify reverse-path interface outside
ip verify reverse-path interface inside

and yes, I do have turbo-acl activated.

regards,

Cheung, Rick wrote:
>         Do you have TurboACL configured for the anti-spoof ACLs you 
> mentioned?
> 
>         That should help cap CPU consumption.
> 
> 
> 
> Rick Cheung
> 
> -----Original Message-----
> From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl]
> Sent: Thursday, November 11, 2004 11:02 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX-virus-DoS-connection problem
> 
> 
> Hello Admins
> 
> We have 2 525 PIX in failover mode with an unexpected behavior.
> 
> Yesterday, a virus/worm (probably a Kazaa worm) infected one of
> our PC ans started to generate 48 IP spoofed packets per second to
> a list of destinations (I suppose other Kazaa members).
> 
> Since our PIX is configured to drop Spoofed IP packets on the
> Inside and Outside interfaces, the CPU went up to 92% and the
> number of "active connections" was increasing at a linear rate.
> 
> Even though this traffic did not reach the border router, these
> packets were indeed dropped by the PIX, but the number of connections
> and CPU were NOT NORMAL.
> 
> After we unpluged the infected PC, the PIX CPU went back to
> normal, but the number of active connections (reported by SNMP)
> still was rising. I waited more than 1 hour (default idle connection
> timeout) and still nothing...
> 
> I have this graphed at:
> http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm
> 
> we are using PIX version 6.2(2). Using PDM I graphed the CPU
> and number of connections at:
> 
> http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
> http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg
> 
> Is this a PIX malfunction and does not reset the SNMP
> connections counters ?? (since the PDM graph differs)
> 
> anyone else experienced this ?
> 
> thanks,
> -- 
> Marcelo Maraboli Rosselott
> Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
> Ingeniero Civil Electronico                     (Electronic Engineer)
> 
> Direccion Central de Servicios Computacionales (DCSC)
> Universidad Tecnica Federico Santa Maria, Chile.
> phone: +56 32 654237
> mailto: marcelo.maraboli @ usm.cl       http://elqui.dcsc.utfsm.cl/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> This message, including any attachments, contains confidential 
> information intended for a specific
> individual and purpose and is protected by law. If you are not the 
> intended recipient, please contact
> sender immediately by reply e-mail and destroy all copies.
> You are hereby notified that any disclosure, copying, or distribution
of 
> this message, or the taking
> of any action based on it, is strictly prohibited.
> 
> WARNING: Computer viruses can be transmitted via email. The recipient 
> should check this email
> and any attachments for the presence of viruses. The sender accepts no

> liability for any damage
> caused by any virus transmitted by this email. E-mail transmission 
> cannot be guaranteed
> to be secure or error-free as information could be intercepted, 
> corrupted, lost, destroyed, arrive
> late or incomplete, or contain viruses. The sender therefore does not 
> accept liability for any errors
> or omissions in the contents of this message, which arise as a result
of 
> e-mail transmission.
> 

-- 
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico                     (Electronic Engineer)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl	http://elqui.dcsc.utfsm.cl/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list