RE: Router/Switches and viruses

From: Steven Williams (Steven.Williams_at_computershare.com.au)
Date: 05/09/05

  • Next message: Marc Heuse: "DIMVA 2005 - Call for Participation - IT-Security Conference in Vienna, 7-8 July"
    Date: Mon, 9 May 2005 08:46:23 +1000
    To: "Seek Knowledge" <aseeker03@yahoo.com>, <focus-ids@securityfocus.com>
    
    

    I've seen a PSTN connected laptop user infected with blaster drop
    numerous Extreme Black Diamond switches. The FDB tables fill up,
    processes start running at very high CPU% and packets start getting
    dropped across the switch. Eventually the switches become unreachable
    and require a manual reboot.

    This was due to a poorly implemented remote access policy. Using policy
    based access control systems like Cisco's NAC or even restricting
    protocol / host access could have prevented this.

    -----Original Message-----
    From: Chris Byrd [mailto:cbyrd01@yahoo.com]
    Sent: Friday, May 06, 2005 1:09 PM
    To: Seek Knowledge; focus-ids@securityfocus.com
    Subject: Re: Router/Switches and viruses

    I had a desktop machine on a development/lab segment infected with SQL
    Slammer take out a switch. As you might recall, Slammer created a large
    volume of small UDP packets to random destination addresses. Although
    the development lab was on it's own VLAN, the traffic completly
    overwhelmed the switch. This caused spanning tree to continually
    recalcuate the entire network topology, and switch management was
    completly unavailable (except for local access). Needless to say I
    didn't have a good day.

    There are several things I've learned that can be done in my opinion to
    help prevent or reduce the imact of this type of attack.

    First, switch management and administrative traffic (such as spanning
    tree) should be on dedicated VLANs.
    Use VLAN pruning to keep VLANs off of unnecessary trunks.

    Second, keep broadcast domains small and use switch functions that
    supress broadcasts.

    Third, monitor network traffic levels and have a good baseline of what
    is "normal". New technolgoies such as NBAD - Network Behavioral Anomaly
    Detection - can really help here.

    Fourth, apply the concept of least privilege to your network traffic.
    Why allow computers to talk to port
    445 on your mail server, or computers on different floors to talk to
    each other at all?

    Fifth, last but not least, mutliple layers of desktop security (desktop
    firewall, HIPS, AV, anti-spyware) and group or local policies can help
    prevent the viruses in the first place. I found out the hard way that
    unless the development lab is _really_ on a seperate network, this goes
    for those machines too.

    - Chris

    --- Seek Knowledge <aseeker03@yahoo.com> wrote:
    > Does anyone have any first-hand experience with a single infected
    > desktop machine (or windows server for that matter) taking out a LAN
    > switch? Would anyone have any stories from the trenches of an infected

    > machine causing a directly connected router to stop functioning?
    >
    > If so, what could be done to prevent such an outage?
    > What IDS/IPS strategy might one implement to prevent and or at least
    > detect such an event?
    >
    > Thanks in advance.
    > ASeeker
    >
    >
    ________________________________________________________________________
    > Yahoo! Messenger - Communicate instantly..."Ping"
    > your friends today! Download Messenger Now
    > http://uk.messenger.yahoo.com/download/index.html
    >
    >
    ------------------------------------------------------------------------

    --
    > Test Your IDS
    > 
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > 
    > to learn more.
    >
    ------------------------------------------------------------------------
    --
    > 
    > 
    		
    __________________________________
    Yahoo! Mail Mobile
    Take Yahoo! Mail with you! Check email on your mobile phone. 
    http://mobile.yahoo.com/learn/mail 
    ------------------------------------------------------------------------
    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    ---
    This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged.  If you receive this email in error, please advise us by return email immediately.  Please also disregard the contents of the email, delete it and destroy any copies immediately.
    Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email.
    This email is also subject to copyright.  No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Marc Heuse: "DIMVA 2005 - Call for Participation - IT-Security Conference in Vienna, 7-8 July"

    Relevant Pages

    • Re: Slow Solidworks 2007 Saves
      ... Our CAD computers have no hardware bottlenecks as CPU only reaches 50% ... If this is not the problem it may be network traffic. ... you tied to a network switch that has way too much traveling thru it? ... Another item to watch is how do you start SWx. ...
      (comp.cad.solidworks)
    • Re: Changed from a software to a hardware firewall...now NETWORK PLACES wont display computer names
      ... to do before...open Network places and see the computers identified by their machine name. ... Two way communications OK between computers and internet and can ping by computer name - names just don't display in NETWORK PLACES. ... I'm beginning to wonder if the builtin 4 port switch works differently than the earlier plain vanilla switch - is it possible that the firewall is interacting in some way with the builtin switch such that I need to configure ... By way of a diagnostic, I think I'd change 2 machines back to static IP's, the same ones that they were previously assigned dynamically, see if those two can browse each other. ...
      (comp.security.firewalls)
    • Re: XP and Vista Networking Issue
      ... it might if your "Netgear switch" was a router. ... They are both running on a wired ethernet network that runs through a net gear switch with a motorola cable modem plugged into the switch. ... Both computers were on XP previously and networked and and one got an upgrade. ...
      (microsoft.public.windowsxp.network_web)
    • RE: IP address conflicts
      ... If you get a network vendor like Network Hardware Resale ... >> It's amazing how money will appear out of thin air if certain oxen get ... the switch you are suggesting I cannibalise uses the EtherToken ... When dealing with a bureaucracy I have found the most effective method is ...
      (freebsd-questions)
    • Re: ConnectComputer Problem
      ... I'm a little confused by your network configuration. ... Switch2 --- SBS Server ... switch has internet access all the time, the second switch has the client ... NICs ...
      (microsoft.public.windows.server.sbs)