Network Worm/DoS. (whchoi@cisco.com) System Engineer. Cisco Systems Korea

Network Worm/DoS (whchoi@cisco.com) System Engineer Cisco Systems Korea

Blaster Worm Router Switch Switch Security Service Module Epilogue

Blaster Worm Router Switch Switch Security Service Module Epilogue

Worm/DoS CERTCC-KR Internet Backbone Access Client TCP135,4444 1. TCP135,4444 worm TFTP (UDP69) TCP135 port Msblast.exe 2. TCP135 RPC DCOM 3. UDP69 open/tftp Server 4. TCP4444 Worm Download TCP135 port TCP4444 open Msblast.exe Network TCP 135 port scanning Process ATM Backbone Switch Switch CPU TCP 4444 port or UDP 69 port Server Farm

Worm/DoS CERTCC-KR Internet Backbone Access Client Windowsupdate.com Syn flooding Attack 1. windowsupdate.com DNS Query 2. IP IP spoofing & DoS attack Msblast.exe 3. DoS TCP Syn flooding Attck DNS Query Network TCP syn flooding Process Server Farm ATM Backbone Switch Switch CPU TCP synflooding ( )IP Server,Network Down..

Worm/DoS CERTCC-KR Internet Backbone Access Client Nachi worm TCP 707/UDP 69 ICMP ICMP Nachi worm 1. windowsupdate.com DNS Query 2. ICMP Scanning (92byte) 3. TCP135port 4. TCP 707 port worm upload ICMP DNS Query Network 92Byte ICMP Process Server Farm ATM Backbone Switch Switch CPU Router Process (B class ICMP ), IDS Smurf attack, ICMP Attack

Blaster Worm Router Switch Switch Security Service Module

Network Internet Backbone Access Client Cisco Router 1. Monitoring Netflow 2. Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit CAR ICMP -PBR,MQC Server Farm

Network Internet 1. Netflow Enable Router(config)#ip cef Router(config)#interface fastethernet 0 (Monitoring Interface ) Router(config-if)#ip route-cache flow (Netflow ) 2. Netflow Monitoring Router#show ip cache flow Netflow <Netflow Service Port 16 10 > Router#show ip cache flow include 0087 135 Router#show ip cache flow include 115C 4444 3. Router#sh ip cac flow inc 0087 Gi0/0 192.168.8.177 Null 192.170.40.10 06 07CB 0087 1 Gi0/0 192.168.8.177 Null 192.170.40.9 06 07CA 0087 1 Gi0/0 192.168.8.177 Null 192.170.40.8 06 07C9 0087 1 Gi0/0 192.168.8.177 Null 192.170.40.7 06 07C8 0087 1

Network Internet 1. TCP 135, 4444, UDP 69 Inbound Defense 2. access-list 100 deny udp any any eq 69 access-list 100 deny tcp any any eq 135 access-list 100 deny tcp any any eq 4444 access-list 100 permit ip any any interface < interface> ip access-group 100 in ACL Inbound Defense 3. TCP 135 Port Site Blocking. ###TCP 135 port ### DHCP/WINS Managerservice Exchange client/server /Administrator service RPC TCP:135

Internet 1. Netflow Enable Router(config)#ip cef Router(config)#interface fastethernet 0 (Monitoring Interface ) Router(config-if)#ip route-cache flow (Netflow ) 2. Netflow Monitoring Router#show ip cache flow Netflow <Netflow Service Port 16 10 > Router#show ip cache flow include 0000 ICMP Router#show ip cache flow include 02C3 707 3. Router#sh ip cac flow inc 0000 0800 Gi0/0 192.168.8.177 Null 192.170.40.10 01 0000 0800 1 Gi0/0 192.168.8.177 Null 192.170.40.9 01 0000 0800 1 Gi0/0 192.168.8.177 Null 192.170.40.8 01 0000 0800 1 Gi0/0 192.168.8.177 Null 192.170.40.7 01 0000 0800 1

Internet 1. TCP 135, 707, UDP 69,ICMP Inbound Defense ACL Inbound Defense MS : TCP135,139,445,593,UDP135,137,38 http://www.microsoft.com/korea/security/bulletin/vn03-009.asp 2. access-list 100 deny udp any any eq 69 access-list 100 deny tcp any any eq 135 access-list 100 deny tcp any any eq 707 access-list 100 deny icmp any any access-list 100 deny icmp any any echo-reply <MS TCP139,445,593 UDP 135,137,38 > access-list 100 permit ip any any interface < interface> ip access-group 100 in 3. Ethernet Interface ACL ICMP, Network Issue,.

Traffic Security..

2,3 Port x Queue 4 Queue 3 Http Queue 2 ftp,smtp Queue 1 ERP, etc Network 4 QoS Security tool

Internet 1. QoS CAR (Commit Access Rate) Router Inbound Defense ACL Inbound Limit CAR - Limit Traffic ACL ICMP marking ICMP

Internet 2. ACL Marking Router(config)#access-list 177 remark "ICMP_limit_marking" Router(config)# access-list 177 permit icmp any any Router(config)# access-list 177 permit icmp any any echo Router(config)# access-list 177 permit icmp any any echo-reply Interface ( Ethernet Interface) Router(config-if)#rate-limit input access-group 177 8000 1000 1000 conform-action transmit exceed-action drop ACL 177 Traffic 8000bps Drop, ICMP packet 8Kbps Drop Normal Maximum burst Size, Limit Monitoring Router#sh interfaces fastethernet 0 rate-limit FastEthernet0 " " Input matches: access-group 177 params: 8000 bps, 8000 limit, 8000 extended limit conformed 599 packets, 151070 bytes; action: transmit exceeded 527 packets, 623618 bytes; action: drop last packet: 280ms ago, current burst: 7896 bytes last cleared 00:02:22 ago, conformed 8000 bps, exceeded 35000 bps

Limit Limit O.K!! Limit

Internet 1. PBR (Policy Base Routing) Router Inbound Defense ACL Inbound Limit PBR Traffic ICMP Cisco Layer 3 Switching!!! Null 0 ACL PBR 92Byte ICMP Logical Interface(Null 0) Drop 92byte ICMP

Internet 2. ACL Marking Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length 92 92 ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, 440770 bytes Policy Null 0 Packet Data

64Byte Packet All permit

Deny Deny Deny Permit

Internet 1. MQC (Modular QoS CLI) Router Inbound Defense ACL Inbound Limit MQC Traffic ICMP Cisco IOS 12.2(13)T!!! ACL MQC 92Byte ICMP 92Byte ICMP drop 92byte ICMP

Internet 2. ACL Marking Router(config)#access-list 197 remark "ICMP_MQC_marking" Router(config)# access-list 197 permit icmp any any echo Router(config)# access-list 197 permit icmp any any echo-reply PBR Rule setup Router(config)#class-map match-all class_worm Class Group Router(config-cmap)#match access-group 187 Class ACL Marking Router(config-cmap)#match packet length min 92 max 92 Marking ACL 92Byte Router(config)#policy-map policy_worm Router(config-pmap)#class class_worm Class Router(config-pmap)#drop Class Action Interface Router(config-if)#service-policy input policy_worm Router(config-if)#service-policy output policy_worm Monitoring Router#sh policy-map interface fa 0 FastEthernet0 Service-policy input: policy_worm Class-map: class_worm (match-all) 5 packets, 530 bytes Drop Packet,Data 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 187 Match: packet length min 92 max 92 drop

64Byte Packet All permit

Deny Deny Deny Permit

Blaster Worm Router Switch Switch Security Service Module Epilogue

Internet Backbone Access Client Cisco Cat6500 1. Monitoring MLS flow 2. Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit Policing ICMP -PBR Server Farm

Backbone Cat OS 1. Mls flow Enable Cat OS : Switch(enable)#set mls flow full Default destionation Native IOS : Switch(config)#mls flow ip full 2. MLS flw Monitoring Cat OS 6500> (enable) sh mls statistics entry ip src-port 135 Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes ---------------- --------------- ----- ------ ------ ---------- --------------- 111.222.213.57 111.222.230.172 TCP 135 1089 1 48 84.35.137.121 111.222.236.248 TCP 135 4845 1 52 143.10.4.213 111.222.235.13 TCP 135 1510 1 48 73.37.139.184 111.222.227.178 TCP 135 1471 1 48 119.121.241.91 111.222.229.29 TCP 135 3064 1 48 111.222.225.40 111.222.134.132 TCP 135 2811 1 48 6500> (enable) sh mls statistics entry ip src-port 135 Blaster worm 6500> (enable) sh mls statistics entry ip src-port 4444 Blaster worm 6500> (enable) sh mls statistics entry ip src-port 707 Nachi 6500> (enable) sh mls statistics entry ip protocol icmp Nachi ICMP attack

Backbone Native IOS Native IOS CAT6500#sh mls ip statistics inc 135 187.151.141.61 222.222.206.165 tcp :3846 :135 0 : 0 10.95.103.29 111.93.13.77 tcp :2197 :135 0 : 0 187.151.143.172 222.222.206.165 tcp :4470 :135 0 : 0 111.91.251.19 111.93.10.227 tcp :2052 :135 0 : 0 123.152.177.81 111.93.8.104 tcp :3797 :135 0 : 0. CAT6500#sh mls ip statistics inc 135 CAT6500#sh mls ip statistics inc 4444 CAT6500#sh mls ip statistics inc 707 CAT6500#sh mls ip statistics inc icmp Cat6500#sh mls ip source 111.222.123.219 PC monitoring Displaying Netflow entries in Supervisor Earl DstIP SrcIP Prot:SrcPort:DstPort Src i/f:adjptr -------------------------------------------------------------------- Pkts Bytes Age LastSeen Attributes --------------------------------------------------- 111.222.59.87 111.222.123.219 tcp :4816 :135 0 : 0 3 144 120 20:13:05 L3 - Dynamic 111.222.57.132 111.222.123.219 tcp :4613 :135 0 : 0 3 144 142 20:12:43 L3 Dynamic....

Backbone Router Port RACL RACL, VLAN Traffic Control VLAN A Subnet A VLAN B Subnet B RACL Subnet,VLAN Traffic Control???

Backbone Switch(Vlan) VACL VACL Traffic VLAN,Subnet Traffic VLAN A Subnet A VLAN B Subnet B VACL VLAN,Subnet Traffic!!! Worm

IDS Distribution worm worm worm Router F.W Backbone Switch Distribution Access Switch worm worm worm Worm.. F.W Flow. IPS/IDS Server Farm or Gateway. Router ACL. Traffic Filtering. Worm Subnet,Vlan filtering Vlan ACL

Backbone Vlan ACL Cat OS set security acl ip VACL deny udp any eq 4444 any set security acl ip VACL deny udp any any eq 4444 set security acl ip VACL deny tcp any eq 135 any set security acl ip VACL deny tcp any any eq 135 Blaster Worm config set security acl ip VACL deny tcp any eq 707 any set security acl ip VACL deny tcp any any eq 707 Nachi worm config set security acl ip VACL permit ip any any Worm traffic permit VACL Vlan commit security acl VACL set security acl map VACL < VLAN > VACL clear security acl VACL commit secuirty acl VACL

Backbone ACL Native IOS Switch(config)#ip access-list extended worm_block Switch(config)# permit tcp any any 135 Switch(config)# permit tcp any any 139 Switch(config)# permit tcp any any 445 Switch(config)# permit tcp any any 4444 Switch(config)# permit tcp any any 707 Switch(config)# permit udp any any 69 Switch(config)# permit icmp any any echo Switch(config)# permit icmp any any echo-reply ICMP Echo Service network, PBR Vlan AccessMap Switch(config) #vlan access-map worm_vacl 10 Switch(config)#match ip address worm_block ACL Switch(config)#action drop ACL Drop Vlan Interface Switch(config)#vlan filter worm_vacl vlan-list 100-150 VACL Vlan

Backbone MSFC ACL Marking Cat OS Native IOS Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length 92 92 ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, 440770 bytes Policy Null 0 Packet Data

Rate Bucket 1 Bucket 2 erate - Rate Network PFC2 only eburst Burst worm worm Backbone Cat OS Native IOS TCP 135,ICMP echo/echo-reply TCP4444,TCP707,UDP69 TCP 135,ICMP echo/echo-reply TCP4444,TCP707,UDP69 worm worm

Backbone Native IOS mls qos mls QoS enable Access-list 113 permit icmp any any echo Access-list 113 permit icmp any any echo-reply icmp attack marking Access-list 111 permit tcp any any eq 135 Access-list 111 permit tcp any any eq 4444 Access-list 111 permit tcp any any eq 707 Access-list 111 permit udp any any eq 69 Blaster worm,nachi worm marking Access-list 112 permit tcp any any syn 8 15 syn flooding attack marking Class-map class-map match-all icmp_attack match access-group 113 class-map match-all Blaster_0815_attack match access-group 112 class-map match-all Blaster_Nachi match access-group 111 Class ACL

Backbone Native IOS policy-map QoS class icmp_attack police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop class Blaster_0815_attack police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop class Blaster_Nachi police 32000 1000 1000 conform-action transmit exceed-action drop violate-action drop Class 32Kbps Drop Monitoring Cat6500#sh policy-map interface gigabitethernet 2/1 GigabitEthernet2/1 service-policy input: QoS class-map: attack (match-all) 0 packets 5 minute offered rate 0 pps match: access-group 113 police : 32000 bps 1000 limit 1000 extended limit aggregate-forwarded 0 packets action: transmit exceeded 44 packets action: drop aggregate-forward 345 pps exceed 40 pps

Backbone set qos enable QoS Cat OS Policer set qos policer aggregate policer_worm rate 32 policed-dscp erate 32 drop burst 4 eburst 4 32Kbps worm ACL Drop QoS ACL Marking set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 135 set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 4444 set qos acl ip worm dscp 8 aggregate policer_worm tcp any any eq 707 set qos acl ip worm dscp 8 aggregate policer_worm udp any any eq 69 set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo set qos acl ip worm dscp 8 aggregate policer_worm icmp any any echo-reply Blaster worm, Nachi worm,icmp Attack

Backbone Cat OS / commit qos acl worm QoS ACL set qos acl map worm 100 Vlan or Interface Clear qos acl worm Commit qos acl worm QoS Monitoring Cat6500> (enable) sh qos statistics aggregate-policer policer_worm QoS aggregate-policer statistics: Aggregate policer Allowed packet Packets exceed Packets exceed count normal rate excess rate ------------------------------- -------------- -------------- -------------- policer_worm 268 11 11 QoS Drop packet monitoring

Internet Backbone Access Client Cisco Switch Defense Blaster Worm TCP 135/4444,UDP 69 Nachi/Welchia TCP 135/707,UDP 69, ICMP ICMP limit Policing ICMP -PBR Server Farm

Access ACL Switch(config)#ip access-list extended worm_block Switch(config)# permit tcp any any 135 Switch(config)# permit tcp any any 139 Switch(config)# permit tcp any any 445 Switch(config)# permit tcp any any 4444 Switch(config)# permit tcp any any 707 Switch(config)# permit udp any any 69 Switch(config)# permit icmp any any echo Switch(config)# permit icmp any any echo-reply ICMP Echo Service network, PBR Vlan AccessMap Switch(config) #vlan access-map worm_vacl 10 Switch(config)#match ip address worm_block ACL Switch(config)#action drop ACL Drop Vlan Interface Switch(config)#vlan filter worm_vacl vlan-list 100-150 VACL Vlan Catalyst 4500/4000 3750/3550 2950 ACL

Access ACL Marking Router(config)#access-list 187 remark "ICMP_PBR_marking" Router(config)# access-list 187 permit icmp any any echo Router(config)# access-list 187 permit icmp any any echo-reply PBR Rule setup Router(config)#route-map worm permit 10 Router(config)#match ip address 187 PBR ACL Router(config)#match length 92 92 ICMP Packet Ethernet Frame 92Byte Router(config)#set interface Null 0 92Byte ICMP Packet Null 0 Interface Interface Router(config-if)#ip policy route-map worm Monitoring Router#sh route-map worm route-map worm, permit, sequence 10 Match clauses: ip address (access-lists): 187 Set clauses: interface Null0 Policy routing matches: 4165 packets, 440770 bytes Policy Null 0 Packet Data

Access QoS mls qos map policed-dscp 48 to 16 mls qos 4500 qos ACL access-list 199 permit icmp any any echo Access-list 199 permit icmp any any echo-reply icmp attack ACL Access-list 198 permit tcp any any syn syn flooding attack ACL Access-list 197 permit tcp any any eq 135 Access-list 197 permit tcp any any eq 4444 Access-list 197 permit tcp any any eq 707 Access-list 197 permit udp any any eq 69 Blaster,Nachi worm attack ACL Catalyst 4500/4000 3750/3550/2950 Class Group class-map match-all icmp_attack match access-group 199 Class-map match-all syn_attck match access-group 198 Class-map access-group worm match access-group 197

Access Policy ( ) policy-map p_worm class icmp_attack set ip precedence 6 police 8000 8000 exceed-action drop class syn_attack set ip precedence 5 police 8000 8000 exceed-action drop class worm set ip precedence 4 police 8000 8000 exceed-action drop icmp_attack,syn_attack,worm traffic 8Kbps Drop interface interface GigabitEthernet0/10 switchport access vlan 100 switchport mode access no ip address load-interval 30 mls qos monitor dscp 8 16 24 32 40 mls qos monitor packets service-policy input p_worm

Access Monitoring sh mls qos interface gigabitethernet 0/10 statistics GigabitEthernet0/10 Ingress dscp: incoming no_change classified policed dropped (in bytes) 8 : 0 0 0 0 0 16: 0 0 0 0 0 24: 0 0 0 0 0 32: 0 0 9 0 0 40: 0 0 3 0 0 48: 0 0 2705898 0 27026238 Others: 27104548 41526 4624 0 0 DSCP Marking Traffic Drop.

Blaster Worm Router Switch Switch Security Service Module Epilogue

Network 1 2 1 Router Core Switch

Network 1 2 2 Router L4switch L2switch L2switch L4switch Core Switch

Network Router Core Switch Router L4switch L2switch L2switch L4switch Core Switch F/W F/W

FWSM Performance PIX 6.0 base Feature Set (some feature of 6.2 ) High Performance Firewall, targeted OC48 or 5GB (aggregated) Concurrent connections : 1M 3 Million pps 100K new connections/sec for HTTP, DNS and enhanced SMTP 100 VLAN LAN failover active/standby Dynamic Routing I.e. OSPF multiple blades 128K Rule Set No IDS Signatures Supported on Native IOS and CatOS ( IOS12.1(13)E / Cat OS 7.5(1)) Classic 32G bus/fabric 256G bus

Network New IDSM-2 600Mbps 5000 cps( TCP ) 500,000 VLAN 32Gb bus/ Fabric Switch monitoring Passive Monitoring Transparent Operation IDSM IDS Device Manager IDSM IDS Event Viewer Feature Parity with IDS Appliances Cat OS 7.5(1)/IOS 12.1(19)E Catalyst 7600/6500 IDSM II

3 Shunning / reset / rate-limit 2 1

Catalyst Service Module을 통한 Monitoring/Defense IDSM shuning u h S g n i n ACL 자동 추가 Router VACL 자동 추가 Shuning Sh un ing Cat 6500 Cisco 7600 Inside Host 자동 차단 PIX Series Network 장비를 통한 Worm/DoS 공격 방어 전략

Shuning IDMS ICMP Attack configuration set security acl ip IDS_160_0 permit arp set security acl ip IDS_160_0 permit ip host 111.222.255.124 any set security acl ip IDS_160_0 deny ip host 111.222.232.104 any set security acl ip IDS_160_0 deny ip host 111.139.201.208 any set security acl ip IDS_160_0 deny ip host 29.167.221.167 any set security acl ip IDS_160_0 deny ip host 24.62.58.63 any set security acl ip IDS_160_0 deny ip host 24.51.18.96 any set security acl ip IDS_160_0 deny ip host 21.65.155.5 any set security acl ip IDS_160_0 deny ip host 12.47.48.228 any set security acl ip IDS_160_0 deny ip host 21.20.122.119 any set security acl ip IDS_160_0 deny ip host 65.95.6.251 any set security acl ip IDS_160_0 deny ip host 68.45.16.20 any set security acl ip IDS_160_0 deny ip host 8.111.3.213 any set security acl ip IDS_160_0 deny ip host 61.7.37.144 any..

NAM-2 Performance Classic 32Gbps Bus/ 256Gbps Fabric 1Gb RAM 128Mb capture buffer Application Monitoring Performance Management Troubleshooting Trend Analysis Capacity planning VOIP Monitoring QoS and DSCP monitoring MIB II RFC1213 RMON (RFC2819) All groups RMON2 (RFC2021) All groups S(swtich)MON (RFC2613) DSMON ART MIB/ HCRMON NAM SW v3.1(catos 7.3(1)/IOS 12.1(13)E support)

Network Enhanced SNMP HTTP/S ngenius Real Time Monitor or 3rd party applications (aggregation of multiple NAMs) NAM Blade NAM Integrated Traffic Analyzer (easy to deploy and use) Layer 2 Mini-RMON Per Port Catalyst 6000/6500 NEW Cisco 7600 Flexible data sources: SPAN (detailed) Netflow (broad) VACL (specific) Enhanced Layer 3-7 RMON I,II HCRMON SMON DSMON ART Voice Analysis

NAM Embedded Traffic Analyzer Cisco Catalyst Switch Mini RMON Mini RMON SPAN Source FTP HTTP Multicast NetFlow Records NetFlow FTP Multicast FTP BPDU Multicast HTTP Cisco Router FTP

Blaster Worm Router Switch Switch Security Service Module Epilogue

CERT team. Server,Network, PC manager.. Security Design End to End..

If you have any questions,,,,, mailto: whchoi@cisco.com www.cisco.com