[c-nsp] PIX-virus-DoS-connection problem

Marcelo Maraboli marcelo.maraboli at usm.cl
Thu Nov 11 15:17:31 EST 2004 

Chuck

I´m deeply sorry, maybe I did not explain myself properly...

it´s 48 IP spoofed packets per second, each with a different
IP spoofed source...

so, PIX thinks they are 48 new connections per second. I recognizes
that they are spoofed, so they are discarded, but the connection
counter goes "bezerk!"

maybe it is a bug....if so, the upgrade to 6.3 is still paid for?
(or free of charge like 3550-L3)

regards,

Church, Chuck wrote:
> 48 pps is a pretty non-demanding DOS.  I wouldn't bring even a 2501 to
> it's knees.  Sounds more like a bug than anything else.  Maybe try 6.3.3
> or 6.3.4?  I've had good luck with both at various locations.
> 
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcelo Maraboli
> Sent: Thursday, November 11, 2004 2:21 PM
> To: Cheung, Rick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX-virus-DoS-connection problem
> 
> Rick
> 
> The anti-spoof feature is not through ACLs, but an Internal PIX
> feature in 6.2(2):
> 
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> 
> and yes, I do have turbo-acl activated.
> 
> regards,
> 
> Cheung, Rick wrote:
> 
>>        Do you have TurboACL configured for the anti-spoof ACLs you 
>>mentioned?
>>
>>        That should help cap CPU consumption.
>>
>>
>>
>>Rick Cheung
>>
>>-----Original Message-----
>>From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl]
>>Sent: Thursday, November 11, 2004 11:02 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] PIX-virus-DoS-connection problem
>>
>>
>>Hello Admins
>>
>>We have 2 525 PIX in failover mode with an unexpected behavior.
>>
>>Yesterday, a virus/worm (probably a Kazaa worm) infected one of
>>our PC ans started to generate 48 IP spoofed packets per second to
>>a list of destinations (I suppose other Kazaa members).
>>
>>Since our PIX is configured to drop Spoofed IP packets on the
>>Inside and Outside interfaces, the CPU went up to 92% and the
>>number of "active connections" was increasing at a linear rate.
>>
>>Even though this traffic did not reach the border router, these
>>packets were indeed dropped by the PIX, but the number of connections
>>and CPU were NOT NORMAL.
>>
>>After we unpluged the infected PC, the PIX CPU went back to
>>normal, but the number of active connections (reported by SNMP)
>>still was rising. I waited more than 1 hour (default idle connection
>>timeout) and still nothing...
>>
>>I have this graphed at:
>>http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm
>>
>>we are using PIX version 6.2(2). Using PDM I graphed the CPU
>>and number of connections at:
>>
>>http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
>>http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg
>>
>>Is this a PIX malfunction and does not reset the SNMP
>>connections counters ?? (since the PDM graph differs)
>>
>>anyone else experienced this ?
>>
>>thanks,
>>-- 
>>Marcelo Maraboli Rosselott
>>Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
>>Ingeniero Civil Electronico                     (Electronic Engineer)
>>
>>Direccion Central de Servicios Computacionales (DCSC)
>>Universidad Tecnica Federico Santa Maria, Chile.
>>phone: +56 32 654237
>>mailto: marcelo.maraboli @ usm.cl       http://elqui.dcsc.utfsm.cl/
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>This message, including any attachments, contains confidential 
>>information intended for a specific
>>individual and purpose and is protected by law. If you are not the 
>>intended recipient, please contact
>>sender immediately by reply e-mail and destroy all copies.
>>You are hereby notified that any disclosure, copying, or distribution
> 
> of 
> 
>>this message, or the taking
>>of any action based on it, is strictly prohibited.
>>
>>WARNING: Computer viruses can be transmitted via email. The recipient 
>>should check this email
>>and any attachments for the presence of viruses. The sender accepts no
> 
> 
>>liability for any damage
>>caused by any virus transmitted by this email. E-mail transmission 
>>cannot be guaranteed
>>to be secure or error-free as information could be intercepted, 
>>corrupted, lost, destroyed, arrive
>>late or incomplete, or contain viruses. The sender therefore does not 
>>accept liability for any errors
>>or omissions in the contents of this message, which arise as a result
> 
> of 
> 
>>e-mail transmission.
>>
> 
> 

-- 
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico                     (Electronic Engineer)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl	http://elqui.dcsc.utfsm.cl/

More information about the cisco-nsp mailing list