[c-nsp] PIX-virus-DoS-connection problem

Church, Chuck cchurch at netcogov.com
Thu Nov 11 16:05:36 EST 2004 

It sounds more and more like a bug.  It wouldn't make any sense for the PIX to create a connection or an xlate if it's going to drop it because of RPF.  The 525 should be able to handle thousands of connections per second.  Try 6.3.4, if your CCO access allows you to get it.  If not, remove the verify statements and use an access list on the inside instead to block spoofed sources.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl] 
Sent: Thursday, November 11, 2004 3:18 PM
To: Church, Chuck
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX-virus-DoS-connection problem

Chuck

I´m deeply sorry, maybe I did not explain myself properly...

it´s 48 IP spoofed packets per second, each with a different
IP spoofed source...

so, PIX thinks they are 48 new connections per second. I recognizes
that they are spoofed, so they are discarded, but the connection
counter goes "bezerk!"

maybe it is a bug....if so, the upgrade to 6.3 is still paid for?
(or free of charge like 3550-L3)

regards,

Church, Chuck wrote:
> 48 pps is a pretty non-demanding DOS.  I wouldn't bring even a 2501 to
> it's knees.  Sounds more like a bug than anything else.  Maybe try 6.3.3
> or 6.3.4?  I've had good luck with both at various locations.
> 
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 703-819-3495
> cchurch at netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcelo Maraboli
> Sent: Thursday, November 11, 2004 2:21 PM
> To: Cheung, Rick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX-virus-DoS-connection problem
> 
> Rick
> 
> The anti-spoof feature is not through ACLs, but an Internal PIX
> feature in 6.2(2):
> 
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> 
> and yes, I do have turbo-acl activated.
> 
> regards,
> 
> Cheung, Rick wrote:
> 
>>        Do you have TurboACL configured for the anti-spoof ACLs you 
>>mentioned?
>>
>>        That should help cap CPU consumption.
>>
>>
>>
>>Rick Cheung
>>
>>-----Original Message-----
>>From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl]
>>Sent: Thursday, November 11, 2004 11:02 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] PIX-virus-DoS-connection problem
>>
>>
>>Hello Admins
>>
>>We have 2 525 PIX in failover mode with an unexpected behavior.
>>
>>Yesterday, a virus/worm (probably a Kazaa worm) infected one of
>>our PC ans started to generate 48 IP spoofed packets per second to
>>a list of destinations (I suppose other Kazaa members).
>>
>>Since our PIX is configured to drop Spoofed IP packets on the
>>Inside and Outside interfaces, the CPU went up to 92% and the
>>number of "active connections" was increasing at a linear rate.
>>
>>Even though this traffic did not reach the border router, these
>>packets were indeed dropped by the PIX, but the number of connections
>>and CPU were NOT NORMAL.
>>
>>After we unpluged the infected PC, the PIX CPU went back to
>>normal, but the number of active connections (reported by SNMP)
>>still was rising. I waited more than 1 hour (default idle connection
>>timeout) and still nothing...
>>
>>I have this graphed at:
>>http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm
>>
>>we are using PIX version 6.2(2). Using PDM I graphed the CPU
>>and number of connections at:
>>
>>http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
>>http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg
>>
>>Is this a PIX malfunction and does not reset the SNMP
>>connections counters ?? (since the PDM graph differs)
>>
>>anyone else experienced this ?
>>
>>thanks,
>>-- 
>>Marcelo Maraboli Rosselott
>>Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
>>Ingeniero Civil Electronico                     (Electronic Engineer)
>>
>>Direccion Central de Servicios Computacionales (DCSC)
>>Universidad Tecnica Federico Santa Maria, Chile.
>>phone: +56 32 654237
>>mailto: marcelo.maraboli @ usm.cl       http://elqui.dcsc.utfsm.cl/
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>This message, including any attachments, contains confidential 
>>information intended for a specific
>>individual and purpose and is protected by law. If you are not the 
>>intended recipient, please contact
>>sender immediately by reply e-mail and destroy all copies.
>>You are hereby notified that any disclosure, copying, or distribution
> 
> of 
> 
>>this message, or the taking
>>of any action based on it, is strictly prohibited.
>>
>>WARNING: Computer viruses can be transmitted via email. The recipient 
>>should check this email
>>and any attachments for the presence of viruses. The sender accepts no
> 
> 
>>liability for any damage
>>caused by any virus transmitted by this email. E-mail transmission 
>>cannot be guaranteed
>>to be secure or error-free as information could be intercepted, 
>>corrupted, lost, destroyed, arrive
>>late or incomplete, or contain viruses. The sender therefore does not 
>>accept liability for any errors
>>or omissions in the contents of this message, which arise as a result
> 
> of 
> 
>>e-mail transmission.
>>
> 
> 

-- 
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico                     (Electronic Engineer)

Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl	http://elqui.dcsc.utfsm.cl/

More information about the cisco-nsp mailing list