Network Worm/DoS. System Engineer. Cisco Systems Korea

Transcription

1 Network Worm/DoS System Engineer Cisco Systems Korea

2 Blaster Worm Router Switch Switch Security Service Module Epilogue

3 Blaster Worm Router Switch Switch Security Service Module Epilogue

4 Worm/DoS CERTCC-KR Internet Backbone Access Client TCP135, TCP135,4444 worm TFTP (UDP69) TCP135 port Msblast.exe 2. TCP135 RPC DCOM 3. UDP69 open/tftp Server 4. TCP4444 Worm Download TCP135 port TCP4444 open Msblast.exe Network TCP 135 port scanning Process ATM Backbone Switch Switch CPU TCP 4444 port or UDP 69 port Server Farm

5 Worm/DoS CERTCC-KR Internet Backbone Access Client Windowsupdate.com Syn flooding Attack 1. windowsupdate.com DNS Query 2. IP IP spoofing & DoS attack Msblast.exe 3. DoS TCP Syn flooding Attck DNS Query Network TCP syn flooding Process Server Farm ATM Backbone Switch Switch CPU TCP synflooding ( )IP Server,Network Down..

6 Worm/DoS CERTCC-KR Internet Backbone Access Client Nachi worm TCP 707/UDP 69 ICMP ICMP Nachi worm 1. windowsupdate.com DNS Query 2. ICMP Scanning (92byte) 3. TCP135port 4. TCP 707 port worm upload ICMP DNS Query Network 92Byte ICMP Process Server Farm ATM Backbone Switch Switch CPU Router Process (B class ICMP ), IDS Smurf attack, ICMP Attack

7

8 Blaster Worm Router Switch Switch Security Service Module

9 Network Internet Backbone Access Client Cisco Router 1. Monitoring Netflow 2. Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit CAR ICMP -PBR,MQC Server Farm

10 Network Internet 1. Netflow Enable Router(config)#ip cef Router(config)#interface fastethernet 0 (Monitoring Interface ) Router(config-if)#ip route-cache flow (Netflow ) 2. Netflow Monitoring Router#show ip cache flow Netflow <Netflow Service Port > Router#show ip cache flow include Router#show ip cache flow include 115C Router#sh ip cac flow inc 0087 Gi0/ Null CB Gi0/ Null CA Gi0/ Null C Gi0/ Null C

11 Network Internet 1. TCP 135, 4444, UDP 69 Inbound Defense 2. access-list 100 deny udp any any eq 69 access-list 100 deny tcp any any eq 135 access-list 100 deny tcp any any eq 4444 access-list 100 permit ip any any interface < interface> ip access-group 100 in ACL Inbound Defense 3. TCP 135 Port Site Blocking. ###TCP 135 port ### DHCP/WINS Managerservice Exchange client/server /Administrator service RPC TCP:135

12 Internet 1. Netflow Enable Router(config)#ip cef Router(config)#interface fastethernet 0 (Monitoring Interface ) Router(config-if)#ip route-cache flow (Netflow ) 2. Netflow Monitoring Router#show ip cache flow Netflow <Netflow Service Port > Router#show ip cache flow include 0000 ICMP Router#show ip cache flow include 02C Router#sh ip cac flow inc Gi0/ Null Gi0/ Null Gi0/ Null Gi0/ Null

13 Internet 1. TCP 135, 707, UDP 69,ICMP Inbound Defense ACL Inbound Defense MS : TCP135,139,445,593,UDP135,137, access-list 100 deny udp any any eq 69 access-list 100 deny tcp any any eq 135 access-list 100 deny tcp any any eq 707 access-list 100 deny icmp any any access-list 100 deny icmp any any echo-reply <MS TCP139,445,593 UDP 135,137,38 > access-list 100 permit ip any any interface < interface> ip access-group 100 in 3. Ethernet Interface ACL ICMP, Network Issue,.

14 Traffic Security..

15 2,3 Port x Queue 4 Queue 3 Http Queue 2 ftp,smtp Queue 1 ERP, etc Network 4 QoS Security tool

16 Internet 1. QoS CAR (Commit Access Rate) Router Inbound Defense ACL Inbound Limit CAR - Limit Traffic ACL ICMP marking ICMP

17 Internet 2. ACL Marking Router(config)#access-list 177 remark "ICMP_limit_marking" Router(config)# access-list 177 permit icmp any any Router(config)# access-list 177 permit icmp any any echo Router(config)# access-list 177 permit icmp any any echo-reply Interface ( Ethernet Interface) Router(config-if)#rate-limit input access-group conform-action transmit exceed-action drop ACL 177 Traffic 8000bps Drop, ICMP packet 8Kbps Drop Normal Maximum burst Size, Limit Monitoring Router#sh interfaces fastethernet 0 rate-limit FastEthernet0 " " Input matches: access-group 177 params: 8000 bps, 8000 limit, 8000 extended limit conformed 599 packets, bytes; action: transmit exceeded 527 packets, bytes; action: drop last packet: 280ms ago, current burst: 7896 bytes last cleared 00:02:22 ago, conformed 8000 bps, exceeded bps

18

19 Limit Limit O.K!! Limit

20 Internet 1. PBR (Policy Base Routing) Router Inbound Defense ACL Inbound Limit PBR Traffic ICMP Cisco Layer 3 Switching!!! Null 0 ACL PBR 92Byte ICMP Logical Interface(Null 0) Drop 92byte ICMP

21 Internet 2. ACL Marking Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, bytes Policy Null 0 Packet Data

22 64Byte Packet All permit

23 Deny Deny Deny Permit

24 Internet 1. MQC (Modular QoS CLI) Router Inbound Defense ACL Inbound Limit MQC Traffic ICMP Cisco IOS 12.2(13)T!!! ACL MQC 92Byte ICMP 92Byte ICMP drop 92byte ICMP

25 Internet 2. ACL Marking Router(config)#access-list 197 remark "ICMP_MQC_marking" Router(config)# access-list 197 permit icmp any any echo Router(config)# access-list 197 permit icmp any any echo-reply PBR Rule setup Router(config)#class-map match-all class_worm Class Group Router(config-cmap)#match access-group 187 Class ACL Marking Router(config-cmap)#match packet length min 92 max 92 Marking ACL 92Byte Router(config)#policy-map policy_worm Router(config-pmap)#class class_worm Class Router(config-pmap)#drop Class Action Interface Router(config-if)#service-policy input policy_worm Router(config-if)#service-policy output policy_worm Monitoring Router#sh policy-map interface fa 0 FastEthernet0 Service-policy input: policy_worm Class-map: class_worm (match-all) 5 packets, 530 bytes Drop Packet,Data 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 187 Match: packet length min 92 max 92 drop

26 64Byte Packet All permit

27 Deny Deny Deny Permit

28 Blaster Worm Router Switch Switch Security Service Module Epilogue

29 Internet Backbone Access Client Cisco Cat Monitoring MLS flow 2. Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit Policing ICMP -PBR Server Farm

30 Backbone Cat OS 1. Mls flow Enable Cat OS : Switch(enable)#set mls flow full Default destionation Native IOS : Switch(config)#mls flow ip full 2. MLS flw Monitoring Cat OS 6500> (enable) sh mls statistics entry ip src-port 135 Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes TCP TCP TCP TCP TCP TCP > (enable) sh mls statistics entry ip src-port 135 Blaster worm 6500> (enable) sh mls statistics entry ip src-port 4444 Blaster worm 6500> (enable) sh mls statistics entry ip src-port 707 Nachi 6500> (enable) sh mls statistics entry ip protocol icmp Nachi ICMP attack

31 Backbone Native IOS Native IOS CAT6500#sh mls ip statistics inc tcp :3846 :135 0 : tcp :2197 :135 0 : tcp :4470 :135 0 : tcp :2052 :135 0 : tcp :3797 :135 0 : 0. CAT6500#sh mls ip statistics inc 135 CAT6500#sh mls ip statistics inc 4444 CAT6500#sh mls ip statistics inc 707 CAT6500#sh mls ip statistics inc icmp Cat6500#sh mls ip source PC monitoring Displaying Netflow entries in Supervisor Earl DstIP SrcIP Prot:SrcPort:DstPort Src i/f:adjptr Pkts Bytes Age LastSeen Attributes tcp :4816 :135 0 : :13:05 L3 - Dynamic tcp :4613 :135 0 : :12:43 L3 Dynamic....

32 Backbone Router Port RACL RACL, VLAN Traffic Control VLAN A Subnet A VLAN B Subnet B RACL Subnet,VLAN Traffic Control???

33 Backbone Switch(Vlan) VACL VACL Traffic VLAN,Subnet Traffic VLAN A Subnet A VLAN B Subnet B VACL VLAN,Subnet Traffic!!! Worm

34 IDS Distribution worm worm worm Router F.W Backbone Switch Distribution Access Switch worm worm worm Worm.. F.W Flow. IPS/IDS Server Farm or Gateway. Router ACL. Traffic Filtering. Worm Subnet,Vlan filtering Vlan ACL

35 Backbone Vlan ACL Cat OS set security acl ip VACL deny udp any eq 4444 any set security acl ip VACL deny udp any any eq 4444 set security acl ip VACL deny tcp any eq 135 any set security acl ip VACL deny tcp any any eq 135 Blaster Worm config set security acl ip VACL deny tcp any eq 707 any set security acl ip VACL deny tcp any any eq 707 Nachi worm config set security acl ip VACL permit ip any any Worm traffic permit VACL Vlan commit security acl VACL set security acl map VACL < VLAN > VACL clear security acl VACL commit secuirty acl VACL

36 Backbone ACL Native IOS Switch(config)#ip access-list extended worm_block Switch(config)# permit tcp any any 135 Switch(config)# permit tcp any any 139 Switch(config)# permit tcp any any 445 Switch(config)# permit tcp any any 4444 Switch(config)# permit tcp any any 707 Switch(config)# permit udp any any 69 Switch(config)# permit icmp any any echo Switch(config)# permit icmp any any echo-reply ICMP Echo Service network, PBR Vlan AccessMap Switch(config) #vlan access-map worm_vacl 10 Switch(config)#match ip address worm_block ACL Switch(config)#action drop ACL Drop Vlan Interface Switch(config)#vlan filter worm_vacl vlan-list VACL Vlan

37 Backbone MSFC ACL Marking Cat OS Native IOS Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, bytes Policy Null 0 Packet Data

38 Rate Bucket 1 Bucket 2 erate - Rate Network PFC2 only eburst Burst worm worm Backbone Cat OS Native IOS TCP 135,ICMP echo/echo-reply TCP4444,TCP707,UDP69 TCP 135,ICMP echo/echo-reply TCP4444,TCP707,UDP69 worm worm

39 Backbone Native IOS mls qos mls QoS enable Access-list 113 permit icmp any any echo Access-list 113 permit icmp any any echo-reply icmp attack marking Access-list 111 permit tcp any any eq 135 Access-list 111 permit tcp any any eq 4444 Access-list 111 permit tcp any any eq 707 Access-list 111 permit udp any any eq 69 Blaster worm,nachi worm marking Access-list 112 permit tcp any any syn 8 15 syn flooding attack marking Class-map class-map match-all icmp_attack match access-group 113 class-map match-all Blaster_0815_attack match access-group 112 class-map match-all Blaster_Nachi match access-group 111 Class ACL

40 Backbone Native IOS policy-map QoS class icmp_attack police conform-action transmit exceed-action drop violate-action drop class Blaster_0815_attack police conform-action transmit exceed-action drop violate-action drop class Blaster_Nachi police conform-action transmit exceed-action drop violate-action drop Class 32Kbps Drop Monitoring Cat6500#sh policy-map interface gigabitethernet 2/1 GigabitEthernet2/1 service-policy input: QoS class-map: attack (match-all) 0 packets 5 minute offered rate 0 pps match: access-group 113 police : bps 1000 limit 1000 extended limit aggregate-forwarded 0 packets action: transmit exceeded 44 packets action: drop aggregate-forward 345 pps exceed 40 pps

41 Backbone set qos enable QoS Cat OS Policer set qos policer aggregate policer_worm rate 32 policed-dscp erate 32 drop burst 4 eburst 4 32Kbps worm ACL Drop QoS ACL Marking set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 135 set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 4444 set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 707 set qos acl ip worm dscp 8 aggregate policer_worm udp any any eq 69 set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo-reply Blaster worm, Nachi worm,icmp Attack

42 Backbone Cat OS / commit qos acl worm QoS ACL set qos acl map worm 100 Vlan or Interface Clear qos acl worm Commit qos acl worm QoS Monitoring Cat6500> (enable) sh qos statistics aggregate-policer policer_worm QoS aggregate-policer statistics: Aggregate policer Allowed packet Packets exceed Packets exceed count normal rate excess rate policer_worm QoS Drop packet monitoring

43 Internet Backbone Access Client Cisco Switch Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit Policing ICMP -PBR Server Farm

44 Access ACL Switch(config)#ip access-list extended worm_block Switch(config)# permit tcp any any 135 Switch(config)# permit tcp any any 139 Switch(config)# permit tcp any any 445 Switch(config)# permit tcp any any 4444 Switch(config)# permit tcp any any 707 Switch(config)# permit udp any any 69 Switch(config)# permit icmp any any echo Switch(config)# permit icmp any any echo-reply ICMP Echo Service network, PBR Vlan AccessMap Switch(config) #vlan access-map worm_vacl 10 Switch(config)#match ip address worm_block ACL Switch(config)#action drop ACL Drop Vlan Interface Switch(config)#vlan filter worm_vacl vlan-list VACL Vlan Catalyst 4500/ / ACL

45 Access ACL Marking Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, bytes Policy Null 0 Packet Data

46 Access QoS mls qos map policed-dscp 48 to 16 mls qos 4500 qos ACL access-list 199 permit icmp any any echo Access-list 199 permit icmp any any echo-reply icmp attack ACL Access-list 198 permit tcp any any syn syn flooding attack ACL Access-list 197 permit tcp any any eq 135 Access-list 197 permit tcp any any eq 4444 Access-list 197 permit tcp any any eq 707 Access-list 197 permit udp any any eq 69 Blaster,Nachi worm attack ACL Catalyst 4500/ /3550/2950 Class Group class-map match-all icmp_attack match access-group 199 Class-map match-all syn_attck match access-group 198 Class-map access-group worm match access-group 197

47 Access Policy ( ) policy-map p_worm class icmp_attack set ip precedence 6 police exceed-action drop class syn_attack set ip precedence 5 police exceed-action drop class worm set ip precedence 4 police exceed-action drop icmp_attack,syn_attack,worm traffic 8Kbps Drop interface interface GigabitEthernet0/10 switchport access vlan 100 switchport mode access no ip address load-interval 30 mls qos monitor dscp mls qos monitor packets service-policy input p_worm

48 Access Monitoring sh mls qos interface gigabitethernet 0/10 statistics GigabitEthernet0/10 Ingress dscp: incoming no_change classified policed dropped (in bytes) 8 : : : : : : Others: DSCP Marking Traffic Drop.

49 Blaster Worm Router Switch Switch Security Service Module Epilogue

50 Network Router Core Switch

51 Network Router L4switch L2switch L2switch L4switch Core Switch

52 Network Router Core Switch Router L4switch L2switch L2switch L4switch Core Switch F/W F/W

53 FWSM Performance PIX 6.0 base Feature Set (some feature of 6.2 ) High Performance Firewall, targeted OC48 or 5GB (aggregated) Concurrent connections : 1M 3 Million pps 100K new connections/sec for HTTP, DNS and enhanced SMTP 100 VLAN LAN failover active/standby Dynamic Routing I.e. OSPF multiple blades 128K Rule Set No IDS Signatures Supported on Native IOS and CatOS ( IOS12.1(13)E / Cat OS 7.5(1)) Classic 32G bus/fabric 256G bus

54 Network New IDSM-2 600Mbps 5000 cps( TCP ) 500,000 VLAN 32Gb bus/ Fabric Switch monitoring Passive Monitoring Transparent Operation IDSM IDS Device Manager IDSM IDS Event Viewer Feature Parity with IDS Appliances Cat OS 7.5(1)/IOS 12.1(19)E Catalyst 7600/6500 IDSM II

55 3 Shunning / reset / rate-limit 2 1

56 Catalyst Service Module을 통한 Monitoring/Defense IDSM shuning u h S g n i n ACL 자동 추가 Router VACL 자동 추가 Shuning Sh un ing Cat 6500 Cisco 7600 Inside Host 자동 차단 PIX Series Network 장비를 통한 Worm/DoS 공격 방어 전략

57 Shuning IDMS ICMP Attack configuration set security acl ip IDS_160_0 permit arp set security acl ip IDS_160_0 permit ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any set security acl ip IDS_160_0 deny ip host any..

58 NAM-2 Performance Classic 32Gbps Bus/ 256Gbps Fabric 1Gb RAM 128Mb capture buffer Application Monitoring Performance Management Troubleshooting Trend Analysis Capacity planning VOIP Monitoring QoS and DSCP monitoring MIB II RFC1213 RMON (RFC2819) All groups RMON2 (RFC2021) All groups S(swtich)MON (RFC2613) DSMON ART MIB/ HCRMON NAM SW v3.1(catos 7.3(1)/IOS 12.1(13)E support)

59 Network Enhanced SNMP HTTP/S ngenius Real Time Monitor or 3rd party applications (aggregation of multiple NAMs) NAM Blade NAM Integrated Traffic Analyzer (easy to deploy and use) Layer 2 Mini-RMON Per Port Catalyst 6000/6500 NEW Cisco 7600 Flexible data sources: SPAN (detailed) Netflow (broad) VACL (specific) Enhanced Layer 3-7 RMON I,II HCRMON SMON DSMON ART Voice Analysis

60 NAM Embedded Traffic Analyzer Cisco Catalyst Switch Mini RMON Mini RMON SPAN Source FTP HTTP Multicast NetFlow Records NetFlow FTP Multicast FTP BPDU Multicast HTTP Cisco Router FTP

61

62

63

64

65 Blaster Worm Router Switch Switch Security Service Module Epilogue

66 CERT team. Server,Network, PC manager.. Security Design End to End..

67 If you have any questions,,,,, mailto: