Professional Documents
Culture Documents
BRKSEC2004
BRKSEC2004
Monitoring, Mitigating,
and Handling Threats
BRKSEC-2004
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Housekeeping
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Session Objectives
Best Common Practices (BCPs) that make use of point
device capabilities for detecting and preventing assets
against existing, current, and emerging threats
Experience with Cisco IOS® security features, firewall
products, intrusion detection, and/or prevention products
Knowledge of the various sources of events, messages,
and data-types used during incident handling
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Agenda
Introduction
Mitigation and Prevention
Monitoring and Identification
Endpoint and Network IPS Capabilities
Reacting with BGP
MS08-067 = Conficker = Downadup
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Network Security is a System
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Threat Education and Awareness
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Type of Threats that Affect You
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Remember Collateral Damage!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
How Computers and Networks
Are Owned
Service vulnerabilities (IIS, Apache, SMB) Access Control
Application vulnerabilities (XSS)
Denial of service Application Inspection
Flooding IPS Capabilities
Spoofed (smurf, syn-flood)
Spoofing Prevention
Non-spoofed rate
Packet conformance vulnerabilities Packet Conformance
Client-side application vulnerabilities User Education
Configuration vulnerabilities (weak passwords,
lack of encryption, etc.)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
There Is NO Silver Bullet
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Worm/Virus: Exploit Comparison
(20 Years)
Morris Love Bug Code Red Slammer MyDoom Zotob RPC DNS MS08-067
1988 2000 2001 2003 2004 2005 2007 2008
Scan for Scan or Scan for
Scan for Scan
Probe Fingerd
N/A
for IIS
N/A N/A MS Directory Endpoint MS Directory
Services Mapper Services
Buffer Overflow
Buffer Buffer in Server
Buffer Arrive as Buffer Buffer Arrive
Overflow Overflow Service
Penetrate Overflow Email Overflow Overflow in as Email
in UPNP in RPC Mapped and
in Fingerd Attachment in IIS SQL and MSDE Attachment
Service Service Removable
Drives
Create Files
Execute Create Execute Create Create Files, Execute Modify Registry
Script to Executables Script Executables Edit Registry, Payload to Download Code
Persist Download and Edit to Download
N/A
and Edit Download Download DNS Hooking
Code Registry Code Registry Code Code Kill Processes
Hot Patch
FTP and TFTP Peer-to-Peer
Look for Open Pick New Pick New Look for
Open Address Services, Search C&C
Addresses and Address Book Addresses Addresses Addresses
Propagate Spread to and Email and Spread to and Spread to
Book and for Addresses
and Spread
HTTP C&C
Email Copies and Spread to Network Share
New Victim Copies New Victim New Victim to New Victim
New Victim Web Listener
Delete
Lots of Lots of Lots of Registry Keys
Worm Worm Worm/Trojan Worm
Paralyze Processes
Spreads
Threads Packets
Spreads
and Files,
Spreads Spreads
Slow System Slow System Slow Network Terminate
Processes
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Defense-in-Depth Strategy (DIDS)
Layering security defenses
reduces threat exposure and
reduces window of opportunity
for miscreants
Apply appropriate controls
closest to the victim
and miscreant
Any defense mechanism may
fail, be bypassed, or defeated
Embrace multiple protection
methods that complement
each other
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Mitigation and Prevention
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Mitigation
Access Control
Spoofing Prevention
Packet Conformance
Application Inspection
Flexible Packet Matching
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Access Control
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
ACL Cisco IOS vs. Firewall
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Utilizing Cisco IOS ACL Capabilities
!
Router(config)#ip access-list extended tACL
!
!–- Deny loose source routed packets
!
Router(config-ext-nacl)#deny ip any any option lsr
!
!–- Deny fragmented packets
!
Router(config-ext-nacl)#deny ip any any fragments
!
!–- Deny TCP packets with SYN and FIN flags set
!
Router(config-ext-nacl)#deny tcp any any match-all +syn +fin
!
!–- Deny packets with TTL values less than 5
!
Router(config-ext-nacl)#deny ip any any ttl lt 5
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Layer 2 Access Control
!
!-- Create ACL default permit
VLAN Access Control List
ip access-list extended VACL-MATCH-ANY
permit ip any any
! Permit ACE Rules
!-- Create ACL match ports
ip access-list extended VACL-MATCH-PORTS
to Classify Traffic
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139
!
!-- Create VLAN Access Map for VACL policy
vlan access-map VACL 10
match ip address VACL-MATCH-PORTS Set Action to Drop
action drop
!
vlan access-map VACL 20
match ip address VACL-MATCH-ANY
action forward
!
!-- Apply and enable VACL for use
vlan filter VACL vlan 100 Apply VACL for Use
!
!
!-- Port ACL
ip access-list extended <acl-name> Port ACL
permit <protocol> <source-address> <source-port> <destination-address>
<destination-port>
!
interface <type> <slot/port>
switchport mode access
switchport access vlan <vlan_number>
ip access-group <acl-name> in
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Modular and Phase-Based ACL Policy
Hybrid Permit/Deny
1. Anti-spoofing Rarely Changes
2. Anti-bogon (source) Rarely Changes
3. Infrastructure permit Rarely Changes
4. Explicit deny specific Layer 3 Sometimes Changes
5. Explicit deny specific Layer 4 Sometimes Changes
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Filter Shields = Phase-Based Modules
Application Filters—
Packet Shield #3
Packet Shield #4
Packet Shield #2
Packet Shield #1
Customer Traffic
Spoofed Source
Addresses
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Known, Unknown, & Undesirable Traffic
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- Output Truncated -----
500 deny tcp any any eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any any eq 139 !-- NetBIOS Session Service
520 deny tcp any any eq 445 !-- Microsoft DS, and Zotob
530 deny udp any any eq 445 !-- SMB vulns
540 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
550 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
560 deny tcp any any range 6660 6669 !-- IRC traffic
570 deny tcp any any eq 7000 !-- IRC traffic
----- Output Truncated -----
600 deny udp any any eq 1025 !-- MS RPC and LSA exploit traffic
610 deny tcp any any eq 5000 !-- UPnP Buffer Overflow exploit traffic
Note: Filtering Registered or Dynamic/Private Port Ranges May Cause Strange Behaviors
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Access Control References
ASA 8.0 Identifying Traffic with Access Lists
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/
guide/traffic.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Spoofing Prevention
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Strict Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via rx
(deprecated syntax: ip verify unicast reverse-path)
int 2 int 2
int 1 int 3 int 1 int 3
Sx D Data Sx D Data Sy D Data
FIB FIB
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sz null0
sourceIP = rx int?
sourceIP != rx int?
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Loose Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via any
int 2 int 2
int 1 int 3 int 1 int 3
Sy D Data Sy D Data Sz D Data
FIB FIB
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sx ???
LAN
ISP 192.168.2/24
LAN
192.168.3/24
Block Entering Source = Own Network
access-list 101 deny ip 192.168.0.0 0.0. 255.255 any
access-list 101 permit ip any any Block Sources that Do not Belong to Subnet
or access-list 102 permit ip 192.168.X.0 0.0.0.255 any
ip verify unicast source reachable-via rx allow-default access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Configuring Spoofing Features
!-- Unicast RPF must have CEF enabled
ip cef
Layer 3 Spoofing Prevention
!
interface <interface>
ip verify unicast source reachable-via <mode>
!
!--Anti-Spoofing ACL
ip access-list extended ACL-ANTISPOOF-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
interface <interface>
ip access-group ACL-ANTISPOOF-IN in
!
!--Configuring DHCP Snooping
ip dhcp snooping
Layer 2 Spoofing Prevention
ip dhcp snooping vlan <vlan-range>
!
!--IPSG which requires DHCP snooping
interface <interface-id>
ip verify source
!
!– Configuring Port Security
interface <interface>
switchport
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum <number>
switchport port-security violation <violation-mode>
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29
SYN Cookie Packet Flow
Client Server
(Source) (Destination)
IP 192.168.1.1 IP 192.168.2.2
Is IP 192.168.1.1
The firewall brokers Authenticated? NO
or negotiates a TCP
Generate Unique Cookie
connection for the server for IP 192.168.1.1
until it is established
Once the TCP connection If Cookie Is Valid,
is established, the Authenticate IP 192.168.1.1
firewall negotiates the
Is IP 192.168.1.1
TCP connection with Connection Authenticated? YES
the server and then Established
stitches the connection
between the client and
server together
The firewall does not
store any connection
state until the TCP
session has been
stitched together
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30
TCP-Intercept
! Using MPF
!-- Using Modular Policy Framework (MPF)
!-- which is available on ASA
access-list management permit tcp any 192.168.131.0 255.255.255.0
!
class-map connection-limit
match access-list management
!
policy-map spoof-protect
class connection-limit
!
!-- Setting limit to one forces all connections to be validated
!
set connection embryonic-conn-max 1
!
service-policy spoof-protect interface outside Static NAT
!
!-- Static NAT, this will map the inside IP address of
!-- 192.168.131.10 to the outside IP address 192.0.2.10
!-- and will create an embryonic connection limit of 1
static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1
!
!–- Static Identify NAT, ie: No Address Translation
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
tcp 0 1
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Spoofing References
Understanding Unicast Reverse Path Forwarding
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
Bogon Reference
http://www.team-cymru.org/Services/Bogons
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Firewall Packet Conformance
Virtual fragmentation reassembly: reassemble, perform
consistency checks (overlap, overwrite, long, short)
then forward
Fragment chain command
Dropping packets with IP options present
Fuzzy TCP flags
TCP intercept (SYN cookies)
ttl-evasion-protection in MPF (enabled
by default)
TCP-MAP (TCP options, SYN data)
Accelerated Security Path (ASP) checks
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Firewall ASP Checks
Firewall# capture drop type asp-drop ?
-------------------- Output Truncated in Several Places --------------------
fragment-reassembly-failed Fragment reassembly failed
invalid-ip-header Invalid IP header
invalid-ip-length Invalid IP length
invalid-ip-option IP option drop
invalid-tcp-hdr-length Invalid TCP Length
invalid-udp-length Invalid UDP Length
tcp-3whs-failed TCP failed 3 way handshake
tcp-ack-syn-diff TCP ACK in SYNACK invalid
tcp-bad-option-len Bad option length in TCP
tcp-bad-option-list TCP option list invalid
tcp-bad-sack-allow Bad TCP SACK ALLOW option
tcp-bad-winscale Bad TCP window scale value
tcp-data-past-fin TCP data send after FIN
tcp-discarded-ooo TCP ACK in 3 way handshake invalid
tcp-invalid-ack TCP invalid ACK
tcp-mss-exceeded TCP data exceeded MSS
tcp-not-syn First TCP packet not SYN
tcp-reserved-set TCP reserved flags set
tcp-rst-syn-in-win TCP RST/SYN in window
tcp-rstfin-ooo TCP RST/FIN out of order
tcp-seq-past-win TCP packet SEQ past window
tcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalid
tcp-syn-data TCP SYN with data
tcp-syn-ooo TCP SYN on established conn
tcp-synack-data TCP SYNACK with data
tcp-synack-ooo TCP SYNACK on established conn
tcp-winscale-no-syn TCP Window scale on non-SYN
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Cisco IOS Packet Conformance
ip options drop command
no ip source-route
Router(config)# no ip source-route
Router(config)#
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Cisco IOS Packet Conformance (Cont.)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Application Layer Protocol Inspection
class-map inspection_default
Stateful deep-packet match default-inspection-traffic
inspection policy-map type inspect dns preset_dns_map
parameters
Good for protocols that open message-length maximum 512
secondary ports and use policy-map global_policy
embedded IP addresses class inspection_default
inspect dns preset_dns_map
Potential DoS vector due inspect ftp
to performance implications inspect h323 h225
inspect h323 ras
User defined policies inspect rsh
inspect rtsp
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Required Policy Components
Class-map: identifies the traffic that needs a specific type of
control; class-maps have specific names which bind them to
a policy-map
Policy-map: describes the actions to be taken on the traffic
described in the class-map; policy-maps have specific
names which bind them to the service-policy
Service-policy: describes where the traffic should be
intercepted for control; only one service-policy can exist per
interface; an additional service-policy called global-service-
policy, is defined for traffic and general policy application;
this policy applies to traffic on all interfaces
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40
DNS AppFW Protocol
Inspection Example
DNS Resolution Fails After Service Policy Is Enabled
Disable and then Enable Service Policy which Inspects DNS Queries
Firewall(config)# no service-policy egress_policy interface inside
;; ANSWER SECTION:
www.example.com. 43200 IN A www.example.com.
[user@linux ~]$
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Firewall Protocol Inspection References
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Super ACL – Access Lists on Steroids
Frame
Frame
L2 L3 L4 First… Second… Payload… Payload… Payload…
Header Header Header
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45
FPM Policy for WPAD.DAT HTTP Request
load protocol flash:ip.phdf
load protocol flash:tcp.phdf
Load PHDFs for IP and TCP
!
class-map type stack match-all ip_tcp_class
description "Match TCP Packets" Match TCP over IP Packets
match field IP protocol eq 6 next TCP
!
class-map type access-control match-all wpad.dat_http_request
description "Match HTTP GET Request for WPAD.DAT (case-insensitive)" Match HTTP GET request for
match field TCP dest-port eq 80 WPAD.DAT with destination
match start TCP payload-start offset 0 size 256 regex
".*[Gg][Ee][Tt].*\x2f[Ww][Pp][Aa][Dd]\x2e[Dd][Aa][Tt]"
TCP port 80
!
policy-map type access-control fpm_wpad_classify
class wpad.dat_http_request Policy that drops and logs HTTP
drop GET request that matches regex
log
!
policy-map type access-control fpm_wpad_policy
class ip_tcp_class Monitor HTTP packets with GET
service-policy fpm_wpad_classify request for WPAD.DAT present
!
interface GigabitEthernet0/0
service-policy type access-control input fpm_wpad_policy Apply and Enable FPM Policy
Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for March 2009
http://tools.cisco.com/security/center/viewAlert.x?alertId=17783
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46
FPM Policy for SNMP v1 and SNMP v3
load protocol disk0:ip.phdf
load protocol disk0:udp.phdf Load PHDFs for IP and UDP
!
class-map type stack match-all ip-udp-class
description "match on UDP packets"
match field ip protocol eq 17 next udp
Match UDP over IP Packets
!
class-map type access-control match-all SNMPv1 Match SNMPv1 Packets:
description "match on SNMPv1 packets"
match field udp dest-port eq 161
UDP port 161, look for a 0 in
match start udp payload-start offset 4 size 1 eq 0 the MSG Version field
!
class-map type access-control match-all SNMPv3
description "match on SNMPv3 packets" Match SNMPv3 Packets:
match field udp dest-port eq 161 UDP port 161, look for a 3 in
match start udp payload-start offset 4 size 1 eq 3
! the MSG Version field
policy-map type access-control fpm-udp-policy
description "log and drop SNMP v1 and v3 packets"
class SNMPv1
drop Policy that drops and logs
log
class SNMPv3
SNMP v1 and v3 packets
drop
log
!
policy-map type access-control fpm-policy
description "drop SNMP v1 and v3 packets"
class ip-udp-class
Monitor UDP packets for SNMP v1
service-policy fpm-udp-policy and SNMP v3
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm-policy Apply and Enable FPM Policy
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47
FPM References
Cisco IOS Flexible Packet Matching (FPM)
http://www.cisco.com/go/fpm
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
Flexible Packet Matching Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd803936f6_ns696_Networking_Solutions
_White_Paper.html
Flexible Packet Matching Feature Guide
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
Flexible Packet Matching XML Configuration
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html
Getting Started with Cisco IOS Flexible Packet Matching
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd80633b0a.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Monitoring and Identification
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Monitoring
Syslog
NetFlow
Embedded Event Manager
CS-MARS
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Syslog
De facto logging standard for hosts, network infrastructure devices,
supported in all Cisco routers and switches
Many levels of logging detail available—choose the level(s) which
are appropriate for each device/situation
ACL logging is generally contraindicated due to CPU overhead—
NetFlow provides more information, doesn’t max the box
Can be used in conjunction with anycast and databases such as
MySQL (http://www.mysql.com) to provide a scalable, robust
logging infrastructure
Different facility numbers allows for segregation of log information
based upon device type, function, other criteria
Syslog-ng from http://www.balabit.com/products/syslog_ng/ adds
a lot of useful functionality
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Configuring Syslog on a Router
Syslog data is invaluable
Attack forensics
Day-to-day events and debugging
To log messages to a syslog server host, use
the logging global configuration command
logging host
logging trap <level>
To log to internal buffer use:
logging buffered size
Ensure timestamps
service timestamps log
Avoid debug logging to the console
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Syslog
Router# show logging | include 185
Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
Router
192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55621) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55622) -> 192.168.150.77(139), 1 packet
Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
192.168.208.63(55623) -> 192.168.150.77(139), 1 packet
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Uses of Syslogs
Console
Syslog Server
Internet
SSH Client
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54
What Are Modifiable Syslog Levels?
[no] logging message <syslog_id> level <level>
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55
How to Create Modifiable Syslog Levels
Solution
[no] logging message <syslog_id> level <level>
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Logging Debugs to Syslog
Problem
Log only debug output to syslog
Solution
Create a logging list with only syslog ID 711001
Enable debug output to syslogs
Log on the logging list
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57
ACL Logging
ACL keyword log for Cisco IOS and Cisco ASA and FWSM
ACL keyword log-input for Cisco IOS
ip access-list log-update threshold threshold-
in-msgs
logging rate-limit message-rate for Cisco IOS
Hardware support for Cisco Catalyst® 6500 series switches and
7600 series routers via Optimized ACL Logging (OAL) is enabled
beginning with 12.2(17d)SXB using the mls rate-limit
unicast ip icmp unreachable acl-drop 0 command
ACL logging can be CPU intensive and can negatively affect
a device
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Access Control List Syslog Correlation
Correlate ACL syslog messages with a specific Access Control
Entry (ACE) configured in an ACL
Utilizes a user-defined tag or IOS generated hash value that is
appended to an ACE generated syslog
ip access-list logging hash-generation
access-list acl permit protocol source destination log [word]
Router# show ip access-list 102
Extended IP access list 102
10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = MyTag)
20 permit tcp any any log (hash = 0x75F078B9)
Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list 102 permitted
tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet
[0x75F078B9]
Available in 12.4(22)T
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_a
cl_syslog.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59
ACL Logging References
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60
NetFlow: Listening to the Network
NetFlow 2
Key Fields
3 NetFlow
Export
Reporting Packets
Usage
• Packet count •• Source
SourceIPIPaddress
Address From/To
• Byte count •• Destination
DestinationIP
IPaddress
Address
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63
NetFlow
Internal Threat Information Resource
router(config)# ip cef
router(config-if)# ip flow ingress
router(config)# ip flow-export destination 10.10.10.10 9996
router(config)# ip flow-export version 5
Header
• Sequence number Flow Flow
• Record count
• Version number Record … Record
NetFlow Cache
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64
NetFlow: Output
Internal Threat Information Resource
Traffic Classification
Flow Summary
Detail
NetFlow Performance
http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65
NetFlow Deployment Considerations
NetFlow should typically be enabled on all router interfaces
where possible
Useful for on-box troubleshooting via CLI and export to
analysis systems (Don’t forget about NetFlow Top Talkers)
Ingress and egress NetFlow are now supported
Analysis systems typically must be configured to understand which is in
use, for purposes of directionality
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 68
EEM Example
Interface input queue monitor
http://forums.cisco.com/eforum/servlet/
EEM?page=eem&fn=script&scriptId=981
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 70
CS-MARS Rules
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 71
CS-MARS Rules in Action
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 72
Endpoint and Network Intrusion
Detection and Prevention Capabilities
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 73
Intrusion Detection and Prevention
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Preventing Endpoint Attacks Using CSA
All attacks perform certain behaviors for success, CSA
allows you to defeat these actions using interceptors
Zero-day and targeted attacks
May bypass or defeat other protection mechanisms that are deployed
Zero-day protection = ability to stop malicious code without
reconfiguration or update
Protects endpoints from being compromised since other protections
may have failed
Limited number of vectors into a system, one or more of
these behaviours must be used by all attacks
Stop the attack at one of these vectors, you prevent the whole attack
(several opportunities exist, not just one)
Monitoring and controlling these behaviors prevents
malicious activity
*Information About CSA Is Presented in BRKSEC-2031, Protecting Against Data Leakage with CSA
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 75
Preventing Execution
Cisco Security Agent
(CSA) provides multiple
interceptors for the detection
and prevention of threats
Network
File system
Configuration
Execution space
CSA is best utilized for
preventing attacks targeting
endpoint compromise
Do not forget about
protection methods
using your network
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 76
Policy Rules Drive Interceptors
File Execution
Security Application Network Configuration
System Space
Distributed Firewall
Host Intrusion Detection
Spyware and Malware Prevention
Network Worm Prevention
File Integrity Assurance
Wireless Policy Controls
Traffic Marking
IPS and NAC Integration
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Intrusion Protection for the Network
0111111010101010000111000100111110010001000100100010001001
85
Threat Rating:
Threat Rating
Dynamic adjustment of event Attack 1:
Risk Rating based on success No Action Configured
of response action Risk Rating = 85
If response action was applied, then Threat Rating = 85
55
Risk Rating is deprecated (TR < RR)
If response action was not applied,
then Risk Rating remains unchanged
(TR = RR) Attack 2:
Action Configured
Benefit:
Attack Mitigated
Prioritizes alerts for operator attention Risk Rating = 85
Operator can focus incident response Threat Rating = 55
activities on those threats that have
not been mitigated
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 80
Event Action Overrides
ips6x# configure terminal
ips6x(config)# service event-action-rules rules0 Global Overrides for
ips6x(config-eve)# show settings
-----------------------------------------------
All IPS Events
overrides (min: 0, max: 15, current: 3)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
Automatic Threat
override-item-status: Enabled <defaulted> Prevention (IPS 6.x)
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------
action-to-add: produce-alert
----------------------------------------------- Write evIdsAlert
override-item-status: Enabled <defaulted>
risk-rating-range: 0-35 default: 0-100
to EventStore
-----------------------------------------------
action-to-add: produce-verbose-alert
-----------------------------------------------
Write evIdsAlert to
override-item-status: Enabled <defaulted> EventStore with
risk-rating-range: 35-90 default: 0-100
-----------------------------------------------
triggerPacket
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 81
IPS Mitigations and Responses
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 82
IPS/CSA Collaboration Benefits
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Automation CSA/IPS Collaboration
CSA MC Configuration IPS Configuration
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 84
Network IPS and Cisco Security
Agent Collaboration
Enhanced contextual analysis of endpoint
Ability to use CSA inputs to influence IPS actions
Correlation of information contained in CSA watch list
Host quarantining Management
Console
Service
Provider
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Automation CSA/IPS Collaboration
evIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low
originator:
hostId: ips6x
appName: sensorApp
appInstanceId: 388
time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT
signature: description=TCP SYN Port Sweep id=3002 version=S2
subsigId: 0
marsCategory: Probe/PortSweep/Non-stealth
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.1.111 locality=OUT
port: 55852
target:
addr: 192.168.2.222 locality=OUT
port: 663
port: 33
port: 231 Threat Rating Increased Due to Watch List
port: 564
port: 838
os: idSource=imported type=windows relevance=relevant
triggerPacket: <trucated>
riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant
watchlist=25
threatRatingValue: 77
interface: ge0_0
protocol: tcp
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 86
Reacting with BGP
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Reacting with BGP
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 88
Black Hole Filtering – Destination Based
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
Target
NOC
F POP Target Is G
Taken Out
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 90
Attack Without BHF – Collateral Damage
Peer A
IXP-W
A Peer B
IXP-E
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
Target
Customers
NOC
Attack Causes G
F POP
Collateral Damage
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Remotely Triggered Blackhole Filtering
Use BGP to trigger a network-wide remotely controlled
response/action to attacks
A simple static route and redistribution into BGP will
enable a network-wide destination address black hole
as rapid as iBGP can propagate the route throughout
the network
This provides a rapid-response tool that can be used in
handling security related events and incidents
Forms a foundation for other remotely triggered
techniques leveraging BGP
Often referred to as RTBH
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 92
Using Remote Triggered Blackhole
Service providers and enterprises use frequently
Often only scaleable answer to large-scale DoS attack
and mitigating collateral damage
Proven very effective
Interprovider triggers not implemented
Rely on informal channels
Service: customer triggered
Edge customers trigger the update, SP doesn’t get involved
Implication: you detect, you classify, etc.
White list allowed traffic to prevent self-DoS
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Step 1 – Prepare All Routers with Trigger
Edge Router with
Test-Net to Null0 Peer A Edge Router with
IXP-W Test-Net to Null0
Peer B
IXP-E
Sinkhole Upstream A
Network
Upstream
A
ip route 192.0.2.1 255.255.255.255 Null0
Upstream Upstream
B B
10.68.19.0/24
Target
NOC
Edge Router with G
POP
172.19.61.1 Test-Net to Null0
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 94
Step 2 – Prepare the Trigger Router
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Step 2 – Trigger Router Configuration
Redistribute
Static with a !
Route-Map router bgp 65535
.
redistribute static route-map static-to-bgp
.
!
Set Next-Hop
route-map static-to-bgp permit 10 to the Trigger
match tag 66
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Step 3 – Activate the Blackhole
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 97
The BGP update
Step 3 – Activating RTBH sent out after
step 2
What happens
when the Next-Hop of 172.19.61.1
next-hop in Is Now Equal to Null0
the routing
table is Null0?
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 98
RTBH Mitigation in Action
Peer A
IXP-W
A Peer B
IXP-E
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
iBGP
Advertises
Target List of
Blackholed
Prefixes
NOC
G
F POP
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 99
Black Hole Filtering – Source Based
What do we have?
Blackhole Filtering – if the destination address equals
Null0, we drop the packet
Remote Triggered – trigger a prefix to equal Null0 on routers
across the Network at iBGP speeds
Unicast RPF Loose Check – if the source address equals Null0,
we drop the packet
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 101
Black Hole Filtering – Source Based
Advantages for using source-based filtering
No ACL update
No change to device configuration
Drops happen in the forwarding path
Frequently changes when attack profiles are dynamic
Weaknesses when using source-based filtering
Source detection and enumeration
Attack termination detection (reporting)
Will drop all packets with source and destination on all
triggered interfaces, regardless of actual intent
Remember spoofing, don’t let the miscreant spoof the true
source-based target and trick you into black holing them
Whitelist important sites that should never be blocked
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 102
Source-Based RTBH – Drop At the Edge
Edge Routers Edge Routers
Peer A Drop Incoming
Drop Incoming IXP-W
Packets Based on Packets Based on
A Peer B Their Source
Their Source
Address IXP-E
Address
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
iBGP
Advertises
Target List of
Blackholed
Prefixes
Based on
NOC Source
G
F POP Addresses
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 103
What If I Can’t Deploy RTBH?
Start with Unicast RPF and static routes to Null0
Results in traffic source drops
interface g0/0
ip verify unicast source reachable-via rx allow-default
ip route 10.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 104
Utilizing Internal RTBH Deployment
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 105
Case Study
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 106
Microsoft Server Service,
MS08-067 (CVE-2008-4250)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 107
Microsoft Server Service, MS08-067
Scan for endpoints 1. Probe
listening on TCP/445 2. Penetrate [variant dependent]
Guess and/or predict 3. Persist [variant dependent]
credentials on TCP/445 4. Propagate [variant dependent]
5. Paralyze
Conficker.A Spreads
21 November 2008
Exploits MS08-067
DNS Hooking
Connects to 250 Randomly Generated SRI Conficker Analysis Published
Domains/Hosts Day 4 February 2009
MD5 Hashing w/1024-bit RSA Digital Certificate
Oct 2008 Nov 2008 Dec 2008 Jan 2009 Feb 2009 Mar 2009
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 109
Conficker a.k.a. Downadup
and MS08-067(Cont.)
Conficker.D Discovered
4 March 2009 Conficker.E
65 Days After Conficker.B and 12 Days After Conficker.C 8 April 2009
Connects to 500 Random Hosts per-Day (24 Hours) Out of 27 Days After Conficker.D
50k Randomly Generated Domains on 1 April 2009 Updates Conficker.B+.C+.D
Peer-to-Peer with Other Conficker.D Infected Nodes Deletes Itself on May 3
MIT MD6 Vulnerability Patched
MS08-067 Scanning Removed
More Processes Added to Termination List Conficker.D
DNS Blacklist Updated for Security-Related Web Sites 1 April 2009, April Fools Is Here—Everything Is Melting :D
Transition to the New Phone-Home Method
Conficker.C Discovered
Media Goes Crazy over Conficker.D
20 February 2009
30 March 2009—3 April 2009
53 Days after Conficker.B
Accept Commands from Other Conficker Nodes Using
Various Detection Tools and Research Published
Peer-to-Peer (P2P) via MS08-067 Vulnerability
30 March 2009— 4 April 2009
Conficker Begins to Shift to a Resilient P2P Architecture
DNS Mitigation by CWG for Conficker.A+B DNS Mitigation by CWG for Conficker.C
15 February 2009—??? 4 March 2009—???
Feb 2009 Mar 2009 Apr 2009 May 2009 Jun 2009 ??? 2009
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 110
Conficker/Downadup At Work
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 111
Conficker/Downadup At Work
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 112
Conficker/Downadup At Work
ACLs
Mitigation to Layer 3 and Layer 3 boundary where deployed
VLAN maps or Port ACLs for L2 access control (if needed)
If service is required, ACLs provide no value to those permitted
access to the service
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 114
Mitigating and Detecting Exploitation
IPS signatures
Intelligence about the vulnerability on the wire
Better when application is required or ACLs do not suffice
Mitigates if sensor is deployed inline or only if configured
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 115
Mitigation: CSA
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 116
Mitigation: Cisco IOS ACL (Modularized)
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
560 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
570 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
580 deny tcp any any range 6660 6669 !-- IRC traffic
590 deny tcp any any eq 7000 !-- IRC traffic
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 117
Mitigation: FW ACL (Modularized)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 118
Detection: ACL Counters
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 119
Detection: Firewall Syslog Events
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35565 to 192.168.1.34/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35566 to 192.168.1.87/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35567 to 192.168.1.168/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35568 to 192.168.1.76/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35569 to 192.168.1.238/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35570 to 192.168.1.201/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35571 to 192.168.1.135/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35572 to 192.168.1.172/445 flags SYN on interface outside
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35573 to 192.168.1.69/445 flags SYN on interface outside
Nov 16 2008 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35574 to 192.168.1.23/445 flags SYN on interface outside
Nov 16 2008 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35575 to 192.168.1.47/445 flags SYN on interface outside
Nov 16 2008 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35576 to 192.168.1.118/445 flags SYN on interface outside
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 120
Detection: IPS
Signature ID Description Attack Phase
7280/0 Windows Server Service Detect and/or Prevent Vulnerability
7280/1 Remote Code Execution Exploitation; Penetrate
Multiple Account Lock Messages,
Access to ADMIN$, Write to system32;
13491/0 Worm Activity—Brute Force
Persist and Propagate (5602/0,
5605/0, and 5589/0)
40 Account Lock Messages
13492/0 Worm Activity—Brute Force Within 60-Seconds; Persist and
Propagate (5605/0)
16293/0
Detects Shellcode Used by Conficker.A
16293/1 Conficker Worm Shellcode
Variant; Propagate
16293/2
Potential Conficker Command Detects Request via C&C;
16296/0
and Control Request Persist and Propagate
16297/0 Multiple SMB Logon Failures, 9 in 30
Worm Activity—Brute Force
16297/1 Seconds; Persist and Propagate
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 121
References
Microsoft Security Bulletin MS08-067, Vulnerability in Server
Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 122
References (Cont.)
Cisco IntelliShield Malicious Code Alert: Worm:
W32/Conficker.worm, 17121
http://tools.cisco.com/security/center/viewAlert.x?alertId=17121
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 123
References (Cont.)
Win32/Conficker Variants Update
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-
variants-update.aspx
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 124
References (Cont.)
SRI Conficker Analysis, An Analysis of Conficker’s Logic
and Rendezvous Points
http://mtc.sri.com/Conficker
http://mtc.sri.com/Conficker/addendumC/index.html
http://mtc.sri.com/Conficker/contrib/plugin.html
http://mtc.sri.com/Conficker/contrib/scanner.html
Containing Conficker
http://iv.cs.uni-bonn.de/conficker
http://www.honeynet.org/papers/conficker
http://www.honeynet.org/node/388
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 125
Key Take Aways
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 126
Recommended Reading
Continue your Cisco Live
learning experience with further
reading from Cisco Press®
Check the Recommended
Reading flyer for suggested books
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 129
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 130
Appendix
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 131
Strive for Operational Simplicity
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 132
Threat and Attack Models
Description
Resource DoS attack makes target unavailable for its intended service
Exhaustion
Attacks Attempted by direct, transit, or reflection-based attack
Uses packets that masquerade with false data (such as source IP
Spoofing Attacks
address) to exploit a trust relationship
Prevents upper-layer communication between hosts or hijacks
established session
Transport
Protocol Attacks Exploits previous authentication measures
Enables eavesdropping or false data injection
Description
Attacks Against Attacks against DHCP, DNS, and NTP
Control-Plane
Services Affects network availability and operations
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 134
Application Layer Protocol Inspection
Regex introduced in 7.2 provides ability to filter
specific traffic
Not available on FWSM
Firewall# show run all | include regex _default_
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-
[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger
"[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-
][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger
"[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 135
FPM Monitoring
Show all or designated FPM class maps
rtr# show class-map type [stack | access-control] [<name>]
Show all or designated FPM policy maps
rtr# show policy-map type access-control [<name>]
Show FPM policy maps on designated interface. Also show
number of packets matched
rtr# show policy-map type access-control interface <interface>
or
rtr# show policy-map type access-control control-plane <>
Show runtime classification information for loaded FPM classes
and policies
rtr# show protocols phdf <loaded-protocol>
Show listing of user-defined PHDFs stored locally on router
rtr# dir disk0:*.phdf
Track all FPM events in both control plane and data plane
rtr# debug fpm event
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 136
FPM Capability Phasing
FPM FPM
FPM FPM
Functionality ACL Phase 1 Phase 1+
12.4(15)T Phase 3
12.4(4)T 12.4(6)T1
No. of ACEs per Interface Unlimited 32 classes 32 classes Unlimited Unlimited
No. of Match Criteria/ACE 4 8 8 Unlimited Unlimited
Depth of Inspection 44 Bytes 256 Bytes 256 Bytes Full Pkt Stream
Raw Offset No Yes Yes Yes Yes
Relative Offset (Fixed
No Yes Yes Yes Yes
Header Length Support)
Dynamic Offset (Variable
No No No Yes Yes
Header Length Support)
Match on Payload
No No No No Yes
TLV Fields
Nested Policies No Yes Yes Yes Yes
Nested Class-Maps No No No Yes Yes
Regex Match No Yes Yes Yes Yes
String Match No No Yes Yes Yes
Match String Pattern
No 32 Bytes 32 Bytes 256 Bytes Full Pkt
Window
IPv4, TCP, Phase 2 + DNS,
IPv4, TCP, Phase 1+ +
Protocol Support UDP, ICMP, Phase 1 SNMP, HTTP,
UDP, ICMP GRE, IPSec
Ethernet IPv6
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 137
FPM Performance vs. Equivalent ACLs
Compare FPM to ACL processor utilization percent
Ten FPM classes or equivalent ACL
Matching on src/dst IP addr, src/dst TCP port, and TCP protocol
Ten TCP traffic streams, 50% of generated traffic matching
7206VXR NPE-400, 128 MB, 12.4(4)T
Filter Type 1000 pps 2000 pps 3000 pps 4000 pps 5000 pps
No Filter 13% 14% 15% 16% 17%
FPM 1st Match 38% 42% 43% 43% 43%
ACL 1st Match 30% 36% 37% 37% 37%
FPM 5th Match 42% 50% 59% 59% 59%
ACL 5th Match 32% 39% 40% 41% 41%
FPM 10th Match 42% 50% 50% 50% 50%
ACL 10th Match 32% 39% 39% 39% 39%
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 138
ASA Syslog Level vs.
Number of Messages
Log Number of Messages (SUM)
Leve Description
l Ver. 6.3 Ver. 7.0 Ver. 7.2 Ver. 8.0 Ver. 8.1
0 Emergencies 0 0 0 0 0
1 Alerts 41 (41) 62 (62) 77 (77) 78 (78) 87 (87)
2 Critical 21 (62) 29 (91) 35 (112) 49 (127) 50 (137)
3 Errors 74 (136) 274 (365) 334 (446) 361 (488) 363 (500)
4 Warnings 56 (192) 179 (544) 267 (713) 280 (768) 281 (781)
5 Notifications 21 (213) 161 (705) 206 (919) 216 (984) 218 (999)
6 Informational 95 (308) 234 (939) 302 (1221) 335 (1319) 337 (1336)
7 Debugging 15 (323) 217 (1156) 258 (1479) 266 (1585) 267 (1603)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 139
FWSM Syslog Level vs.
Number of Messages
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 140
Debug Commands
Internet
http://www.cisco.com
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 142
NetFlow Versions
NetFlow
Comments
Version
1 Original
5 Standard and Most Common
Specific to Cisco Catalyst 6500 and 7600 Series Switches
7 Similar to Version 5, but Does not Include AS, Interface, TCP
Flag and TOS Information
Choice of 11 Aggregation Schemes
8
Reduces Resource Usage
Flexible, Extensible File Export Format to Enable Easier
9 Support of Additional Fields and Technologies; Coming
Out Now Are MPLS, Multicast, and BGP Next-Hop
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 143
Adaptive Control Technology
Next Generation Rapid Threat Containment and Response
Threat Mitigation Service (TMS) is a framework for
rapid network-wide distribution and response to threats
Near real-time threat response
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 144
Threat Information Distribution Protocol
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 145
Threat Containment Using ACT
TIDP is a protocol that allows for the quick distribution of
information about network-based threats
All TIDP-enabled nodes use the payload content according
to their own configuration and translate it to enforce
appropriate actions
NMS/Syslog
Server for
Logging Rules Engine
TIM * Threat Local to
Information Each Device
Distribution
Protocol
TIDP
TIM Controller
Generation Intelligence Resides in
via CLI / SDM TIM *
End Point Devices
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 147
Advanced Topics
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 148
Test Yourself
Metasploit is an exploitation framework that provides alot of flexibility to
test yourself—it’s very easy to test client and service exploits; more
information is at www.metasploit.com
Scapy is a powerful packet manipulation program—requires some python
knowledge but is useful for creating specific types of network traffic; more
information is at http://www.secdev.org/projects/scapy/
>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)
>>> x[1].frag=145
>>> send(x) Changed the Fragment Offset
17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length
1200
17:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP
(1), length 28) 192.168.2.63 > 192.168.15.60: icmp
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 149
Security = Moving Target
Metasploit ShikataGaNai encoder makes creating exploits
using polymorphic shell code very simple; this means that
simple string matches such as 0x90/0x90/0x90 are trivial
to avoid
Metasploit meterpreter allows for relatively simple dll
injection and command execution that is difficult to detect
(leaves no new processes, files or network connections)
on the compromised system
XT Bot utilized Dynamic Remote Settings Stub (DRSS) to
hide communications; think a bot that uses steganography
for communication
Fast flux DNS for Botnet networks makes Botnet difficult
to neutralize
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 150
Deceptive Defense
Darknets and illegal IP space
(dark space) monitoring provides
ability to more easily identify
outbreaks and aid in detecting
probing that may fall under the
normal radar
Honeypots low interaction:
deployed inside the network these
help quickly identify compromised
systems and miscreants; real
world studies have shown a ratio
of 1/1000 IP space is effective
Honeytokens: a purposefully set
piece of information that should
only be accessed by illegal activity
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 152
Utilizing Low Interaction Honeypots to
Increase Network Security?
IPS can be configured to perform an event action override
when a predetermined threshold has been met; these
actions could be block address or deny attacker inline
which can happen for a specified time frame
The IPS Target Value Rating (TVR) can be used to increase
the risk rating for events which happen targeting a specific
host or subset of hosts
A low interaction Honeypot such as Nepenthes
(http://nepenthes.mwcollect.org/) could be deployed in
conjunction with an artificially-inflated TVR to trigger event
actions such as deny attacker inline to remove threats
before they attack real systems
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 153
Deceptive Defense in Action
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 154
Deceptive Defense Mitigating the Attack
Signature 3338/1 Windows LSASS RPC overflow
base risk rating 75 (severity = high, fidelity = 75)
risk rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR
Calculated for a target value rating set to high
ASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100
Event action override 90–100 (deny attacker inline/request
block host)
Attacker Blocked
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 155
Deceptive Defense Caveats
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 156
Remotely Triggered Blackhole
Configure all edge routers with static route
to Null0 (must use reserved network)
ip route 192.0.2.1 255.255.255.255 Null0
Activate blackhole
Redistribute host route for victim into BGP with
next-hop set to 192.0.2.1
Route is propagated using BGP to all BGP speaker
and installed on routers with 192.0.2.1 route
All traffic to victim now sent to Null0
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 157
Step 1—Prepare All Routers with Trigger
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 158
Sinkhole Routers/Networks
Sinkholes are a topological security feature—
think network honeypot
Router or workstation built to suck in traffic and assist
in analyzing attacks (original use)
Redirect attacks away from the victim—a working the
attack on a router built to withstand the attack
Used to monitor attack noise, scans, data from
misconfiguration and other activity (via the
advertisement of default or illegal IP space)
Traffic is typically diverted via BGP route
advertisements and policies
Leverage instrumentation in a controlled environment
Pull the traffic past analyzers/analysis tools
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 159
BGP Sinkhole Trigger
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 160
Example—BGP Sinkhole Triggers
Sinkhole IP: 192.0.2.8
Victim IP: 192.168.20.1
Trigger router configuration
router bgp 65500
redistribute static route-map static-to-bgp
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 161
Sinkhole Routers/Networks
Router Advertises
192.168.20.1/32
Sinkhole
Network
Customers Customers
Customers
192.168.20.0/24—Target’s Network
Target of
Attack
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 162
Cisco WebEx
Meeting Manager ActiveX Control
(CVE-2008-3558)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 163
Cisco WebEx Vulnerability
Vulnerability in Cisco WebEx Meeting Manager ActiveX
Control—CVE-2008-3558
http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 164
Cisco WebEx Vulnerability
Allows WebEx meeting participants the ability to view
Universal Communication Format (UCF) contents
Client-side program remotely exploited with user interaction
Web-based email messages Internet browsing
Web-based instant messaging Cross-site scripting (CSS/XSS)
Phishing
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 165
Cisco WebEx Vulnerability
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 166
Preventing Vulnerability Exploitation
IPS signatures
Intelligence about the vulnerability on the wire
Better when application is required or ACLs do not suffice
Mitigates if sensor is deployed inline or only if configured
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 167
IPS Signature, 6988/0
sensor# show events alert | include 6988
evIdsAlert: eventId=1214370540454919078 severity=high vendor=Cisco
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 28725
time: 2008/08/14 18:55:50 2008/08/14 18:55:50 UTC
signature: description=WebEx Meeting Manager ActiveX Overflow id=6988 version=S352
subsigId: 0
sigDetails: WebEx Meeting Manager ActiveX Overflow
marsCategory: Penetrate/ClientExploit/Web
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.7.12
port: 80
target:
addr: locality=OUT 192.168.2.11
port: 2925
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
alertDetails: Component Signature List: 6988.1 5477.2 ;
riskRatingValue: targetValueRating=medium 80
threatRatingValue: 80
interface: ge0_0
sensor#
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 168
Firewall HTTP Application Inspection
regex CLSID_activeX "32[Ee]26[Ff][Dd]9[-][Ff]435[-]4[Aa]20[-][Aa]561[-]35[Dd]4[Bb]987[Cc][Ff][Dd][Cc]"
regex ProgID_activeX "WebexUCFObject.WebexUCFObject.1"
! Create Regex Match
class-map type regex match-any vulnerable-activeX-class
match regex CLSID_activeX
match regex ProgID_activeX
Create Regex Class Map
!
object-group service WEBPORTS tcp
port-object eq www Create Object-Group w/Port List
port-object eq 3128
port-object eq 8000
port-object eq 8010
port-object eq 8080
port-object eq 8888
port-object eq 24326
!
Create Access-List Containing Object-Group
access-list Webports-ACL extended permit tcp any any object-group WEBPORTS
!
class-map Webports-Class
match access-list Webports-ACL Create Class-Map Matching Object-Group Traffic
policy-map type inspect http http-Policy
parameters
protocol-violation action drop-connection
Create Inspection Policy Map and Actions
match response body regex class vulnerable-activeX-Class
drop-connection log
!
policy-map global_policy
class Webports-Class
inspect http http-Policy Apply and Deploy Policy Map
!
service-policy global_policy global
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 169
Detection Vulnerability Exploitation
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 170
Firewall HTTP Application Inspection
firewall#show logging | grep 415007
Aug 14 2008 14:35:54: %ASA-5-415007: HTTP - matched response
body regex class vulnerable-activeX-Class in policy-map
http-Policy, Body matched - Dropping connection from
outside:192.0.2.117/2329 to inside:192.168.60.65/80
Aug 14 2008 14:36:57: %ASA-5-415007: HTTP - matched response
body regex class vulnerable-activeX-Class in policy-map
http-Policy, Body matched - Dropping connection from
outside:192.0.2.150/2330 to inside:192.168.60.65/80
firewall#
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 171
References
[Full-disclosure] Webex atucfobj Module ActiveX Control
Buffer Overflow Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 172
References (Cont.)
Preventing ActiveX Exploits with Cisco Firewall Application
Layer Protocol Inspection
http://www.cisco.com/web/about/security/intelligence/
actX-ALPI_amiddleton.html
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 173
Windows TCP/IP,
MS08-001 (CVE-2007-0069,
CVE-2007-0066)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 174
Vulnerabilities
Windows kernel TCP/IP IGMPv3 and MLDv2 vulnerability—
CVE-2007-0069
Remote code execution or denial-of-service utilizing crafted packets
over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server
2003) or MLDv2/IPv6 (Windows Vista)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 175
IGMPv3/MLDv2
RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236,
IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710
Both protocols provide essentially the same
multicast functionality
Not much information in the initial advisory however a
miscreant could potentially get in the ballpark by looking at
what features have been added between protocol versions
Routers will not forward multicast unless configured to do so
Will forward LSRR and SSRR packets unless disabled
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 177
Mitigating the Vulnerability
Cisco IOS
ACL’s fragmentation filtering, protocol filtering, options filtering
Layer 2 preferred
Features such as no ip source route, ip options drop
IPS signatures
6224/0, 6755/0, and 2150/0—fragmented ICMP traffic
(2150/0 is available via ip audit in ASA and FWSM)
Provides no mitigation unless directed to do so
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 178
Mitigation: Cisco IOS Features and ACLs
Router(config)#no ip source-route
Router(config)#ip options drop
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 179
Mitigation: Cisco IOS VACL
!-- Create ACLs that match traffic. Action will be applied
!-- in VLAN map section.
!
ip access-list extended match-igmp-router
permit igmp host 192.168.100.1 any
!
ip access-list extended match-icmp-router
permit icmp host 192.168.100.1 any router-advertisement
!
ip access-list extended match-igmp-subnet
permit igmp 192.168.100.0 0.0.0.255 any
!
ip access-list extended match-icmp-subnet
permit icmp 192.168.100.0 0.0.0.255 any router-advertisement
!
ip access-list extended match-all-subnet
permit ip any any
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 180
Mitigation: Cisco IOS VACL (Cont.)
vlan access-map ms08-001 10
Permit Router to Send IGMP Anywhere
match ip address match-igmp-router
action forward
vlan access-map ms08-001 20
Permit Router Interface to Send ICMP Anywhere
match ip address match-icmp-router
action forward
vlan access-map ms08-001 30
Drop IGMP for Rest of Subnet
match ip address match-igmp-subnet
action drop
vlan access-map ms08-001 40
Drop ICMP Type 9
match ip address match-icmp-subnet
action drop
vlan access-map ms08-001 50
Permit All Other Traffic
match ip address match-all-subnet
action forward
!
!-- Apply to VLAN 100
Apply to VLAN 100
vlan filter ms08-001 vlan-list 100
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 181
Mitigation: ASA and FWSM
!-- Fragment chain command can be used to prevent fragments from traversing
!-- through the firewall or specific interfaces
Firewall(config)#fragment chain 1 [interface_name]
!-- Cisco Cisco ASA adaptive security appliances and (FWSMs) will, by default,
!-- drop all source-routed packets received on any interface and create an
!-- informational-level (severity 6) syslog message
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 182
Additional Mitigation and Monitoring
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 183
MS08-001 References
Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in
Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
MS08-001 (part 2)—the Case of the Moderate ICMP Mitigations
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-
the-moderate-icmp-mitigations.aspx
MS08-001 (part 3)—The Case of the IGMP Network Critical
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-
the-igmp-network-critical.aspx
MS08-001—the Case of the Moderate, Important, and Critical
Network Vulnerabilities
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-the-
moderate-important-and-critical-network-vulnerabilities.aspx
MS08-001—The Case of the Missing Windows Server 2003
Attack Vector
http://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-
case-of-the-missing-Windows-Server-2003-attack-vector.aspx
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 184
MS08-001 References (Cont.)
Cisco applied mitigation bulletin: Microsoft Security Bulletin
for January 2008
http://tools.cisco.com/security/center/viewAlert.x?alertId=14898
Cisco IntelliShield vulnerability alert ID 14854:
Microsoft Windows Kernel IGMP and MLD Code
Execution Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14854
Cisco IntelliShield vulnerability alert ID 14853:
Microsoft Windows Kernel ICMP Router Discovery
Protocol Denial-of-Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=14853
Exploit for MS08-001 demonstrated
http://blogs.pcmag.com/securitywatch/2008/01/exploit_for_
ms08001_demonstrat.php
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 185
Storm Class Malware, CME711
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 186
Storm Malware, CME711
Spam and social
engineering convince
user to download
executable
Download malicious
software to end host
Probe [Exploit Dependent]
1
2 Penetrate [Exploit Dependent]
Download software
Victim 3 Persist [Exploit Dependent] Join P2P network
Open up UDP port on local
4 Propagate [Exploit Dependent] host above 1024
Spam
5
Paralyze DDos
Update
Exploit Specific
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 187
Malware in Action: CME711
Infected BotHerder
Webserver
1
1. BotHerder updates 4
malcode on webtrap
2. Initiate new spam
pointing to webtrap
3
3. User reads the spam
and clicks link Infected
4. User machine infected
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 188
Mitigating CME711
Infected BotHerder
Webserver
1. Break initial
exploitation vector 1
2. Break infection
vector
3. Break joining botnet 3
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 189
Breaking the Bot
Initial vector through spam message
User education and spam filtering
Host downloads malware from webserver
Mitigate vulnerabilities on host (patch and best practices)
Use AV or HIPS to prevent exploitation
Web content filter
DNS blackholing
Firewall
!-- Firewall Configuration
Firewall(config)# access-list storm-udp extended deny udp
192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 191
What About FPM?
The P2P traffic is encrypted with a simple key, works and is
functional could change
Snort signatures from
http://doc.emergingthreats.net/2007701
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)";
dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2,
seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)";
dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1,
seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”;
dsize:25; content:”|10 a0 d4 c3|”; depth:4; threshold: type both, count 1,
seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)
Source: EmergingThreats.net
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 192
Mitigation: FPM for Encrypted Storm
load protocol disk0:ip.phdf
load protocol disk0:udp.phdf
Load PHDFs for IP and UDP
!
class-map type stack match-all ip_udp_class
description “match UDP over IP packets” Match UDP over IP Packets
match field ip protocol eq 17 next udp
!
class-map type access-control match-all encrypted_storm
description “match encrypted storm, cme711 packets” Match Storm, CME711
match field udp dest-port range 1024 65535 Packets: UDP port
match field udp length eq 33 1024:65535, UDP+Payload
match start udp payload-start offset 0 size 2 eq 0x10a6 Length 33bytes, and Regex
!
policy-map type access-control fpm_udp_policy
class encrypted_storm
Policy for UDP-Based Attacks
drop
log
!
policy-map type access-control fpm_policy
class ip_udp_class
service-policy fpm_udp_policy Drop Worms and Malicious Attacks
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Apply and Enable FPM Policy
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 193
Mitigation: Deny Downloader
via HTTP Inspection
regex exe_url ".*\.[Ee][Xx][Ee]"
! --Create Regex Class Map
class-map type regex match-any bad_urls
match regex exe_url
class-map type inspect http match-any http-urls
match request uri regex class bad_urls
class-map http-port
match port tcp eq www
!-- Create Policy Map, actions set to Drop and Log
policy-map type inspect http http-policy
parameters
protocol-violation action drop-connection
class http-urls
drop-connection log
!-- Apply and enabled “EXE Downloader” policy
policy-map global_policy
class http-port
inspect http http-policy
service-policy global_policy global
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 194
Mitigation: Deny Botnet Access
via DNS Inspection
regex bad_domain1 “tibeam\.com“ Domains from
regex bad_domain2 “tushove\.com“ http://www.disog.org/text/storm-fastflux.txt
regex bad_domain3 “kqfloat\.com“
!
class-map type regex match-any bad_domains
match regex domain1
match regex domain2
match regex domain3
!
class-map type inspect dns bad_domain_query
match not header-flag QR
match question
match domain-name regex class bad_domains
!
policy-map type inspect dns bad_domain_policy
class bad_domain_query
drop log
!
class-map inspection_default
match default-inspection-traffic
!
policy-map egress_policy
class inspection_default
inspect dns bad_domain_policy
!
service-policy egress_policy interface inside
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 195
Identification
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 196
Storm Worm References
Storm Worm DDoS Attack
http://www.secureworks.com/research/threats/view.html?threat=storm-worm
Storm (Worm) Peacomm Analysis
http://www.cyber-ta.org/pubs/StormWorm/report/
Schneier on Security
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
April Storm’s Day Campaign
http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/
Antirootkit.com blog
http://www.antirootkit.com/blog/category/storm-worm/
The Evolution of Peacomm to all-in-one Trojan
http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evol
ution_of_peacomm_to_al.html
Known Storm Fast Flux Domains
http://www.disog.org/text/storm-fastflux.txt
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 197
Windows DNS Server RPC
Interface, MS07-029
(CVE-2007-1748)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 198
Microsoft DNS Server RPC Interface
Query RPC endpoint
mapper on TCP/135 for
vulnerable ports or scan
TCP/1024-5000
Guess user accounts on
TCP/139 and 445
2 Penetrate
Download and copy malicious
code to C:\U.exe
Victim 3 Persist [Variant Dependent]
Create back door access
4 Propagate [Variant Dependent] Connect to command and
control on TCP port 8080
5
Paralyze
W32/Nirbot.worm!
83E1220A
Malcode Specific
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 199
Mitigating the Vulnerability
ACLs
Mitigation to L3 boundary where deployed, VLAN maps,
port ACLs for L2 access control if needed
If application is required ACLs provide no value to those
allowed access
IPS signatures
Understand application/vulnerability better when application
is required or ACLs do not suffice
Provides no mitigation unless directed to do so
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 200
Mitigation: Cisco IOS ACL (Modularized)
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
560 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
570 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
580 deny tcp any any range 6660 6669 !-- IRC traffic
590 deny tcp any any eq 7000 !-- IRC traffic
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 201
Mitigation: FW ACL (Modularized)
Firewall# show access-list tACL
access-list tACL line 1 deny ip host 127.0.0.0 any
access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any
access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0
--------- Output Truncated -------
access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo
--------- Output Truncated -------
access-list tACL line 19 permit tcp any host 192.168.100.10 eq www
access-list tACL line 20 permit tcp any host 192.168.100.10 eq https
--------- Output Truncated -------
access-list tACL line 35 deny ip any any
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 202
Mitigation: IPS Signature 5858
ips6x#show events alert | include id=5858
------------Output Truncated ----------
signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282
subsigId: 0
sigDetails: DNS Server RPC Interface Buffer Overflow
marsCategory: Penetrate/BufferOverflow/RPC
interfaceGroup: vs0
vlan: 0
Signature Description and ID
participants:
attacker:
addr: locality=OUT 192.168.6.66
port: 1063
target: OS Identification/Relevancy
addr: locality=IN 192.168.1.11
port: 1032
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
actions:
deniedPacket: true
Risk Rating/Action/Threat Rating
riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 50
interface: ge0_0
protocol: tcp
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 203
Mitigation: CSA
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 204
Identification: ACL Counters
Firewall# show access-list tACL
-------- Output Truncated ---------
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 (hitcnt=3)
access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
(hitcnt=0)
access-list tACL line 21 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=10)
access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000
(hitcnt=106)
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 205
Identification: Firewall Syslog Events
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35565 to 192.168.2.1/1025 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35566 to 192.168.2.1/1026 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35567 to 192.168.2.1/1027 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35568 to 192.168.2.1/1028 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35569 to 192.168.2.1/1029 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35570 to 192.168.2.1/1030 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35571 to 192.168.2.1/1031 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35572 to 192.168.2.1/1032 flags SYN on interface outside
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35573 to 192.168.2.1/1033 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35574 to 192.168.2.1/1033 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35575 to 192.168.2.1/1032 flags SYN on interface outside
May 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 206
Identification: IPS
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 207
The Exploits
W32/Nirbot.worm!83E1220A
Download worm on random HTTP server port
Connect via IRC over port 8080
IRC servers include:
{blocked}.rofflewaffles.us
{blocked}.anti-viral.us
{blocked}.wayne.brady.gonna.have.to.{blocked}.us
Exploits are sort of like chasing your tail, but there are
several patterns we can catch (this time) or ways in
which these can be mitigated
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 208
Exploit Specific
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 209
Exploit Specific: ASA HTTP Inspection
!
access-list web-ports extended permit tcp any any eq 80
access-list web-ports extended permit tcp any any eq 8080
!
class-map webports
match access-list web-ports
!
policy-map type inspect http http-policy
parameters
protocol-violation action drop-connection
!
policy-map global_policy
class webports
inspect http http-policy
!
service-policy global_policy global
!
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 210
References
Microsoft Security Bulletin MS07-029, Vulnerability in
Windows DNS RPC Interface Could Allow Remote Code
Execution (935966)
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
W32.Rinbot.BC [Symantec]
http://www.symantec.com/security_response/writeup.jsp?docid=
2007-041701-3720-99&tabid=2
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 212
References (Cont.)
W32/Delbot-AI [Sophos]
http://www.sophos.com/security/analyses/viruses-and-
spyware/w32delbotai.html
W32/Nirbot.worm!83E1220A [McAfee]
http://vil.nai.com/vil/content/v_142025.htm
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 213
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 214