BRKSEC2004

Octubre 5-8, 2009 Santiago, Chile
Monitoring, Mitigating,
and Handling Threats
BRKSEC-2004
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Housekeeping
 We value your feedback—do not forget to complete

your online session evaluations after each session
 Visit the World of Solutions
 Please remember this is a non-smoking venue!
 Please switch off your mobile phones
 Please remember to wear your badge at all times
BRKSEC-2004_c2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Session Objectives
 Best Common Practices (BCPs) that make use of point
device capabilities for detecting and preventing assets
against existing, current, and emerging threats
 Experience with Cisco IOS® security features, firewall
products, intrusion detection, and/or prevention products
 Knowledge of the various sources of events, messages,
and data-types used during incident handling
Agenda
 Introduction
 Mitigation and Prevention
 Monitoring and Identification
 Endpoint and Network IPS Capabilities
 Reacting with BGP
 MS08-067 = Conficker = Downadup
Network Security is a System
 Firewall + AV ≠ Network Security

 Network security is not something you can just buy
Technology will assist
Policy, operations, and design are more important
 Network security system

A collection of network-connected devices, technologies, and
best practices that work in complementary ways to provide
security to information assets
Threat Education and Awareness
 Knowledge of threats provides a firmer understanding

of vulnerabilities and the risks and impact associated
with your network
 Without a thorough understanding of threats, you
cannot take the necessary steps to implement an
effective security solution
 Security solutions and features to detect, deter, and
prevent the risks and impacts of vulnerability
exploitation and attacks will be discussed
Type of Threats that Affect You
 Many factors threaten network infrastructures

Natural disasters
Unintentional, man-made attacks based on human error
Malicious attacks
 Clear distinction between human error and malicious

attacks is intent
 Protection against malicious and unintentional attacks
must both be considered
An outage is an outage
Remember Collateral Damage!
 Attacks may have additional consequences beyond the

intended target
 A DoS attack against one remote network may
adversely affect other networks resulting in collateral
damage and a wider impact
 Collateral damage must also be considered when
evaluating the risk and impact of threats and attacks
 Impact of collateral damage is possible in both ingress
and egress data-paths, account for both!
How Computers and Networks
Are Owned
 Service vulnerabilities (IIS, Apache, SMB) Access Control
 Application vulnerabilities (XSS)
 Denial of service Application Inspection
Flooding IPS Capabilities
Spoofed (smurf, syn-flood)
Spoofing Prevention
Non-spoofed rate
Packet conformance vulnerabilities Packet Conformance
 Client-side application vulnerabilities User Education
 Configuration vulnerabilities (weak passwords,
lack of encryption, etc.)
There Is NO Silver Bullet
 ACLs are most effective when the service is not

required and are only effective between boundaries
where they are deployed which is usually a
Layer 3 interface
 IPS only mitigates when it is configured to or deployed
in inline protection mode
 AV detection is not 100% (~85% with samples taken
from honeypots)
 All new technologies introduce potential vulnerabilities
in themselves
 Complexity introduces errors
Source: Virtual Honeypots
Know Your Enemy:
Anatomy of an Attack
 Ping addresses
 Scan ports
 Passive probing
 Guess user accounts
 Phishing and
social engineering
 Mail attachments
 Buffer overflows
Probe  ActiveX controls
1  Network installs
2 Penetrate  Compressed messages
 Guess backdoors
Target 3 Persist  Create new files
 Modify existing files
4 Propagate  Weaken registry security settings
 Mail copy of attack
5  Web connection  Install new services
Paralyze
 Register trap doors
 IRC
 FTP
 Delete files  Infect file shares
 Modify files
 Drill security hole
 Crash computer
 Denial of service
 Steal secrets
Worm/Virus: Exploit Comparison
(20 Years)
Morris Love Bug Code Red Slammer MyDoom Zotob RPC DNS MS08-067
1988 2000 2001 2003 2004 2005 2007 2008
Scan for Scan or Scan for
Scan for Scan
Probe Fingerd
N/A
for IIS
N/A N/A MS Directory Endpoint MS Directory
Services Mapper Services
Buffer Overflow
Buffer Buffer in Server
Buffer Arrive as Buffer Buffer Arrive
Overflow Overflow Service
Penetrate Overflow Email Overflow Overflow in as Email
in UPNP in RPC Mapped and
in Fingerd Attachment in IIS SQL and MSDE Attachment
Service Service Removable
Drives
Create Files
Execute Create Execute Create Create Files, Execute Modify Registry
Script to Executables Script Executables Edit Registry, Payload to Download Code
Persist Download and Edit to Download
N/A
and Edit Download Download DNS Hooking
Code Registry Code Registry Code Code Kill Processes
Hot Patch
FTP and TFTP Peer-to-Peer
Look for Open Pick New Pick New Look for
Open Address Services, Search C&C
Addresses and Address Book Addresses Addresses Addresses
Propagate Spread to and Email and Spread to and Spread to
Book and for Addresses
and Spread
HTTP C&C
Email Copies and Spread to Network Share
New Victim Copies New Victim New Victim to New Victim
New Victim Web Listener
Delete
Lots of Lots of Lots of Registry Keys
Worm Worm Worm/Trojan Worm
Paralyze Processes
Spreads
Threads Packets
Spreads
and Files,
Spreads Spreads
Slow System Slow System Slow Network Terminate
Processes
Defense-in-Depth Strategy (DIDS)
 Layering security defenses
reduces threat exposure and
reduces window of opportunity
for miscreants
 Apply appropriate controls
closest to the victim
and miscreant
 Any defense mechanism may
fail, be bypassed, or defeated
 Embrace multiple protection
methods that complement
each other
Mitigation and Prevention
Mitigation
 Access Control
 Spoofing Prevention
 Packet Conformance
 Application Inspection
 Flexible Packet Matching
Access Control
 Highly-effective deterrent to enforced boundary for

Layer 3 and Layer 4 traffic
 Not effective when services/applications are required
by potentially malicious users
 Classification ACLs aid in identification
 Default deny ingress/egress will prevent a lot
 Filter as precisely as possible
Source and destination (Layer 3 and Layer 4)
 Filter as early as possible in the network
ACL Cisco IOS vs. Firewall
Feature ASA and FWSM Cisco IOS

fragments on ACLs and
Virtual Reassembly Using
IP Fragmentation ip virtual-reassembly
fragment chain
Under Interface Configuration
Use of established
State ACLs Have State
Keyword or Cisco IOS Firewall
IP Option
Drop IP Options by Default option Keyword 12.3(4)T
Filtering
ttl-evasion-protection
TTL Filtering ttl Keyword 12.4(2)T
via MPF
syn, fin, ack, psh,
TCP Flags Verified by Default urg, rst
Keywords 12.3(4)T
Utilizing Cisco IOS ACL Capabilities
!
Router(config)#ip access-list extended tACL
!
!–- Deny loose source routed packets
!
Router(config-ext-nacl)#deny ip any any option lsr
!
!–- Deny fragmented packets
!
Router(config-ext-nacl)#deny ip any any fragments
!
!–- Deny TCP packets with SYN and FIN flags set
!
Router(config-ext-nacl)#deny tcp any any match-all +syn +fin
!
!–- Deny packets with TTL values less than 5
!
Router(config-ext-nacl)#deny ip any any ttl lt 5
!
Layer 2 Access Control
!
!-- Create ACL default permit
VLAN Access Control List
ip access-list extended VACL-MATCH-ANY
permit ip any any
! Permit ACE Rules
!-- Create ACL match ports
ip access-list extended VACL-MATCH-PORTS
to Classify Traffic
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445
permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139
!
!-- Create VLAN Access Map for VACL policy
vlan access-map VACL 10
match ip address VACL-MATCH-PORTS Set Action to Drop
action drop
!
vlan access-map VACL 20
match ip address VACL-MATCH-ANY
action forward
!
!-- Apply and enable VACL for use
vlan filter VACL vlan 100 Apply VACL for Use
!
!
!-- Port ACL
ip access-list extended <acl-name> Port ACL
permit <protocol> <source-address> <source-port> <destination-address>
<destination-port>
!
interface <type> <slot/port>
switchport mode access
switchport access vlan <vlan_number>
ip access-group <acl-name> in
!
Modular and Phase-Based ACL Policy
Hybrid Permit/Deny
1. Anti-spoofing Rarely Changes
2. Anti-bogon (source) Rarely Changes
3. Infrastructure permit Rarely Changes
4. Explicit deny specific Layer 3 Sometimes Changes
5. Explicit deny specific Layer 4 Sometimes Changes
6. Incident response and countermeasure Changes Everyday
7. Explicit permit Layer 3 (good traffic) Sometimes Changes

8. Explicit permit Layer 4 (good traffic) Sometimes Changes
9. Explicit deny Rarely Changes
Filter Shields = Phase-Based Modules
Spoofed Source Addresses
Targeting the Infrastructure
Application Filters—
Packet Shield #3
Packet Shield #4
Packet Shield #2
Packet Shield #1
Egress Packet Shield #2
Egress Packet Shield #1

Policy Enforcement
Targeting the Customer
Customer Traffic
Permitted Customer Traffic
Spoofed Source
Addresses
Denied Apps Out
Known, Unknown, & Undesirable Traffic
ip access-list extended ACCESS-LIST
200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)
210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)
220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)
230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)
240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)
250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)
----- Output Truncated -----
500 deny tcp any any eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any any eq 139 !-- NetBIOS Session Service
520 deny tcp any any eq 445 !-- Microsoft DS, and Zotob
530 deny udp any any eq 445 !-- SMB vulns
540 deny tcp any any eq 4444 !-- Metasploit Reverse Shell
550 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm
560 deny tcp any any range 6660 6669 !-- IRC traffic
570 deny tcp any any eq 7000 !-- IRC traffic
----- Output Truncated -----
600 deny udp any any eq 1025 !-- MS RPC and LSA exploit traffic
610 deny tcp any any eq 5000 !-- UPnP Buffer Overflow exploit traffic
Note: Filtering Registered or Dynamic/Private Port Ranges May Cause Strange Behaviors
Access Control References
 ASA 8.0 Identifying Traffic with Access Lists
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/
guide/traffic.html
 Transit Access Control Lists: Filtering at Your Edge

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper
09186a00801afc76.shtml
 Configuring Network Security with ACLs

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/
release/12.2_40_se/configuration/guide/swacl.html
 Protecting Your Core: Infrastructure Protection Access

Control Lists
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper
09186a00801a1a55.shtml
Spoofing Prevention
 Minimize attacks that require spoofing

SYN Flood
Smurf attack
 Attack trace back simplified

 Multiple features exist
Access Control Lists (ACLs)
Unicast Reverse Path Forwarding (Unicast RPF)
TCP intercept (SYN cookies)
IP Source Guard (IPSG)*
DHCP snooping*
*Detailed Information About Layer 2 Security Is Available in BRKSEC-2202

Unicast Reverse Path Forwarding
 Which mode to deploy: strict or loose?

Strict for symmetrical flows
Loose for asymmetrical flows
 Effectively drop packets that lack a verifiable IPv4 or

IPv6 source address
 Not 100% effective—however, through proper
deployment Unicast RPF can protect against most
Layer 3 spoofed packets
 Tuning for Unicast RPF is provided through ACLs
Strict Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via rx
(deprecated syntax: ip verify unicast reverse-path)
int 2 int 2
int 1 int 3 int 1 int 3
Sx D Data Sx D Data Sy D Data
FIB FIB
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sz null0
sourceIP = rx int?
 sourceIP != rx int?

Loose Mode Unicast RPF
Router(config-if)# ip verify unicast source reachable-via any
int 2 int 2
int 1 int 3 int 1 int 3
Sy D Data Sy D Data Sz D Data
FIB FIB
Dest Path Dest Path
Sx int 1 Sx int 1
Sy int 2 Sy int 2
Sz null0 Sx ???
sourceIP = any int?

 sourceIP != any int?

Address Spoofing Prevention
in the Enterprise
Enterprise: 192.168.0.0/16
Block Leaving Source != Own Network
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx
LAN
192.168.1/24
LAN
ISP 192.168.2/24
LAN
192.168.3/24
Block Entering Source = Own Network
access-list 101 deny ip 192.168.0.0 0.0. 255.255 any
access-list 101 permit ip any any Block Sources that Do not Belong to Subnet
or access-list 102 permit ip 192.168.X.0 0.0.0.255 any
ip verify unicast source reachable-via rx allow-default access-list 102 deny ip any any
or
ip verify unicast source reachable-via rx
Configuring Spoofing Features
!-- Unicast RPF must have CEF enabled
ip cef
Layer 3 Spoofing Prevention
!
interface <interface>
ip verify unicast source reachable-via <mode>
!
!--Anti-Spoofing ACL
ip access-list extended ACL-ANTISPOOF-IN
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
ip access-group ACL-ANTISPOOF-IN in
!
!--Configuring DHCP Snooping
ip dhcp snooping
Layer 2 Spoofing Prevention
ip dhcp snooping vlan <vlan-range>
!
!--IPSG which requires DHCP snooping
interface <interface-id>
ip verify source
!
!– Configuring Port Security
switchport
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security maximum <number>
switchport port-security violation <violation-mode>
!
SYN Cookie Packet Flow
Client Server
(Source) (Destination)
IP 192.168.1.1 IP 192.168.2.2
Is IP 192.168.1.1
 The firewall brokers Authenticated? NO
or negotiates a TCP
Generate Unique Cookie
connection for the server for IP 192.168.1.1
until it is established
 Once the TCP connection If Cookie Is Valid,
is established, the Authenticate IP 192.168.1.1
firewall negotiates the
Is IP 192.168.1.1
TCP connection with Connection Authenticated? YES
the server and then Established
stitches the connection
between the client and
server together
 The firewall does not
store any connection
state until the TCP
session has been
stitched together
TCP-Intercept
! Using MPF
!-- Using Modular Policy Framework (MPF)
!-- which is available on ASA
access-list management permit tcp any 192.168.131.0 255.255.255.0
!
class-map connection-limit
match access-list management
!
policy-map spoof-protect
class connection-limit
!
!-- Setting limit to one forces all connections to be validated
!
set connection embryonic-conn-max 1
!
service-policy spoof-protect interface outside Static NAT
!
!-- Static NAT, this will map the inside IP address of
!-- 192.168.131.10 to the outside IP address 192.0.2.10
!-- and will create an embryonic connection limit of 1
static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1
!
!–- Static Identify NAT, ie: No Address Translation
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
tcp 0 1
!
Spoofing References
 Understanding Unicast Reverse Path Forwarding
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
 Tracking Spoofed IP Addresses

http://www.cymru.com/Documents/tracking-spoofed.html
 Bogon Reference
http://www.team-cymru.org/Services/Bogons
 Network Ingress Filtering: Defeating Denial of Service

Attacks Which Employ IP Source Address Spoofing,
RFC2827
http://tools.ietf.org/html/rfc2827
 Ingress Filtering for Multihomed Networks, RFC3704

http://tools.ietf.org/html/rfc3704
Packet Conformance
Several Attacks Use Fuzzed or Irregular Packet
Fields to Identify Hosts or Exploit Vulnerabilities or
Evade Detection
 Fragmentation overwrite, overlap, short, long
(teardrop, jolt, evasion)
 Nmap passive OS identification scanning
 Source routing to evade access control or cause
other vulnerabilities
 Abnormal TCP flags, values, overwrite
 Time-to-live (TTL) abnormalities
Firewall Packet Conformance
 Virtual fragmentation reassembly: reassemble, perform
consistency checks (overlap, overwrite, long, short)
then forward
 Fragment chain command
 Dropping packets with IP options present
 Fuzzy TCP flags
 TCP intercept (SYN cookies)
 ttl-evasion-protection in MPF (enabled
by default)
 TCP-MAP (TCP options, SYN data)
 Accelerated Security Path (ASP) checks
Firewall ASP Checks
Firewall# capture drop type asp-drop ?
-------------------- Output Truncated in Several Places --------------------
fragment-reassembly-failed Fragment reassembly failed
invalid-ip-header Invalid IP header
invalid-ip-length Invalid IP length
invalid-ip-option IP option drop
invalid-tcp-hdr-length Invalid TCP Length
invalid-udp-length Invalid UDP Length
tcp-3whs-failed TCP failed 3 way handshake
tcp-ack-syn-diff TCP ACK in SYNACK invalid
tcp-bad-option-len Bad option length in TCP
tcp-bad-option-list TCP option list invalid
tcp-bad-sack-allow Bad TCP SACK ALLOW option
tcp-bad-winscale Bad TCP window scale value
tcp-data-past-fin TCP data send after FIN
tcp-discarded-ooo TCP ACK in 3 way handshake invalid
tcp-invalid-ack TCP invalid ACK
tcp-mss-exceeded TCP data exceeded MSS
tcp-not-syn First TCP packet not SYN
tcp-reserved-set TCP reserved flags set
tcp-rst-syn-in-win TCP RST/SYN in window
tcp-rstfin-ooo TCP RST/FIN out of order
tcp-seq-past-win TCP packet SEQ past window
tcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalid
tcp-syn-data TCP SYN with data
tcp-syn-ooo TCP SYN on established conn
tcp-synack-data TCP SYNACK with data
tcp-synack-ooo TCP SYNACK on established conn
tcp-winscale-no-syn TCP Window scale on non-SYN
Cisco IOS Packet Conformance
 ip options drop command
 no ip source-route
Router(config)# ip options drop
% Warning: RSVP and other protocols that use IP Options

packets may not function as expected.
Router(config)# no ip source-route
Router(config)#
 Some of the checks can be accomplished through

ACLs (such as IP options, TCP flags)
Cisco IOS Packet Conformance (Cont.)
 Virtual Fragmentation Reassembly (VFR), 12.3(8)T

Asymmetric traffic causes problems
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address <address>
ip virtual-reassembly [drop-fragments][max-fragments number] [max-
reassemblies number] [timeout seconds]
!
 Troubleshoot and verify VFR operations

debug ip virtual-reassembly
show ip virtual-reassembly
Syslog: VFR-3-TINY_FRAGMENTS, VFR-3-OVERLAP_FRAGMENT,
VFR-4_FRAG_TABLE_OVERFLOW, VFR-4_TOO_MANY_FRAGMENTS
Application Layer Protocol Inspection
class-map inspection_default
 Stateful deep-packet match default-inspection-traffic
inspection policy-map type inspect dns preset_dns_map
parameters
Good for protocols that open message-length maximum 512
secondary ports and use policy-map global_policy
embedded IP addresses class inspection_default
inspect dns preset_dns_map
Potential DoS vector due inspect ftp
to performance implications inspect h323 h225
inspect h323 ras
 User defined policies inspect rsh
inspect rtsp
 Response actions for inspect esmtp

inspect sqlnet
undesirable traffic inspect skinny
inspect sunrpc
 Regex capabilities inspect xdmcp
introduced in 7.2 inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Required Policy Components
 Class-map: identifies the traffic that needs a specific type of
control; class-maps have specific names which bind them to
a policy-map
 Policy-map: describes the actions to be taken on the traffic
described in the class-map; policy-maps have specific
names which bind them to the service-policy
 Service-policy: describes where the traffic should be
intercepted for control; only one service-policy can exist per
interface; an additional service-policy called global-service-
policy, is defined for traffic and general policy application;
this policy applies to traffic on all interfaces
*Detailed Information About Firewall Design and Deployment Is Available in BRKSEC-2020

DNS Protocol Inspection Example
! Create Regex Match
Firewall(config)# regex domain1 “example\.com“
Firewall(config)# regex domain2 “example\.net“
!
Firewall(config)# class-map type regex match-any dns_filter_class
Firewall(config-cmap)# match regex domain1
Firewall(config-cmap)# match regex domain2 Create Regex Class Map
!
Firewall(config)# class-map type inspect dns dns_inspect_class
Firewall(config-cmap)# match not header-flag QR
Firewall(config-cmap)# match question
Inspection Class Map
Firewall(config-cmap)# match domain-name regex class dns_filter_class
!
Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policy
Firewall(config-pmap)# class dns_inspect_class
Firewall(config-pmap-c)# drop log Perform Policy Map Action
!
Firewall(config-pmap-c)# class-map inspection_default
Firewall(config-cmap)# match default-inspection-traffic
!
Firewall(config-cmap)# policy-map egress_policy
Firewall(config-pmap)# class inspection_default
Firewall(config-pmap-c)# inspect dns dns_inspect_policy
!
Firewall(config-pmap-c)# service-policy egress_policy interface inside
!
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html
DNS AppFW Protocol
Inspection Example
DNS Resolution Fails After Service Policy Is Enabled
Disable and then Enable Service Policy which Inspects DNS Queries
Firewall(config)# no service-policy egress_policy interface inside
Firewall(config)# service-policy egress_policy interface inside
[user@linux ~]# dig www.example.com DNS Resolver on Endpoints

; <<>> DiG 9.5.0b3 <<>> www.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37337
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: Successful DNS Resolution

;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 43200 IN A www.example.com.
[user@linux ~]$
[user@linux ~]$ dig www.example.com

; <<>> DiG 9.5.0b3 <<>> www.example.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[user@linux ~]$ Failed DNS Resolution
Firewall Protocol Inspection References
 ASA 8.0 MPF Guide

http://www.cisco.com/en/US/docs/security/asa/asa80/
configuration/guide/mpc.html
 Applying Application Layer Protocol Inspection

http://www.cisco.com/en/US/docs/security/asa/asa80/
configuration/guide/inspect.html
Super ACL – Access Lists on Steroids
Frame
Frame
L2 L3 L4 First… Second… Payload… Payload… Payload…
Header Header Header
 Flexible Packet Matching (FPM) performs deep-packet inspection

for containment and policy enforcement
Match protocol header fields and/or payload context
Layer 2 to 7—bit/byte matching capability at any offset within the packet
 User-defined filtering policies (traffic classifiers)

Allows a choice of response actions
 Adaptable to dynamically changing attack profiles

Rapid deployment of filtering policies (can leverage EEM for near realtime
response to threats)
 Ability to deploy protection and prevention mechanisms closer

to victim and miscreant
FPM Delivery Mechanism
 Supported on access platforms via advanced
security images in 12.4(4)T and later
 Supported on Sup32 PISA platform via IP base and
IP services images in 12.2(18)ZY and later
 Protocol Header Definition File (PHDF), available on Cisco.com
Ethernet, IP, TCP, UDP and ICMP
XML-based file that defines match criteria fields and implicit (constraints) match
criteria
 Traffic Classification Definition File (TCDF), available on

Cisco.com
Bit Torrent, IIS Unicode Traversal, Cisco IOS HTTP, Skype,
and template
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
XML-based file that defines classes and policies with specified actions for an
FPM filter (created using a text-editor with a “.tcdf” file extension)
FPM Policy for Slammer Packets
load protocol disk0:ip.phdf
load protocol disk0:udp.phdf
Load PHDFs for IP and UDP
!
class-map type stack match-all ip_udp_class
description "match UDP over IP packets" Match UDP over IP packets
match field ip protocol eq 17 next udp
!
class-map type access-control match-all slammer_class
description "match on slammer packets"
match field udp dest-port eq 1434 Match Slammer packets:
match field ip length eq 404 UDP Port 1434, Packet
match start udp payload-start offset 0 size 4 eq 0x04010101
Length 404bytes, and Regex
!
policy-map type access-control fpm_udp_policy
description "policy for UDP based attacks"
class slammer_class
Policy for UDP-Based Attacks
drop
log
!
policy-map type access-control fpm_policy
description "drop worms and malicious attacks"
class ip_udp_class
Drop Worms and Malicious Attacks
service-policy fpm_udp_policy
!
interface GigabitEthernet 0/1
service-policy type access-control input fpm_policy
Apply and Enable FPM Policy
FPM Policy for WPAD.DAT HTTP Request
load protocol flash:ip.phdf
load protocol flash:tcp.phdf
Load PHDFs for IP and TCP
!
class-map type stack match-all ip_tcp_class
description "Match TCP Packets" Match TCP over IP Packets
match field IP protocol eq 6 next TCP
!
class-map type access-control match-all wpad.dat_http_request
description "Match HTTP GET Request for WPAD.DAT (case-insensitive)" Match HTTP GET request for
match field TCP dest-port eq 80 WPAD.DAT with destination
match start TCP payload-start offset 0 size 256 regex
".*[Gg][Ee][Tt].*\x2f[Ww][Pp][Aa][Dd]\x2e[Dd][Aa][Tt]"
TCP port 80
!
policy-map type access-control fpm_wpad_classify
class wpad.dat_http_request Policy that drops and logs HTTP
drop GET request that matches regex
log
!
policy-map type access-control fpm_wpad_policy
class ip_tcp_class Monitor HTTP packets with GET
service-policy fpm_wpad_classify request for WPAD.DAT present
!
interface GigabitEthernet0/0
service-policy type access-control input fpm_wpad_policy Apply and Enable FPM Policy
Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for March 2009
http://tools.cisco.com/security/center/viewAlert.x?alertId=17783
FPM Policy for SNMP v1 and SNMP v3
load protocol disk0:udp.phdf Load PHDFs for IP and UDP
!
class-map type stack match-all ip-udp-class
description "match on UDP packets"
Match UDP over IP Packets
!
class-map type access-control match-all SNMPv1 Match SNMPv1 Packets:
description "match on SNMPv1 packets"
match field udp dest-port eq 161
UDP port 161, look for a 0 in
match start udp payload-start offset 4 size 1 eq 0 the MSG Version field
!
class-map type access-control match-all SNMPv3
description "match on SNMPv3 packets" Match SNMPv3 Packets:
match field udp dest-port eq 161 UDP port 161, look for a 3 in
match start udp payload-start offset 4 size 1 eq 3
! the MSG Version field
policy-map type access-control fpm-udp-policy
description "log and drop SNMP v1 and v3 packets"
class SNMPv1
drop Policy that drops and logs
log
class SNMPv3
SNMP v1 and v3 packets
drop
log
!
policy-map type access-control fpm-policy
description "drop SNMP v1 and v3 packets"
class ip-udp-class
Monitor UDP packets for SNMP v1
service-policy fpm-udp-policy and SNMP v3
!
service-policy type access-control input fpm-policy Apply and Enable FPM Policy
FPM References
 Cisco IOS Flexible Packet Matching (FPM)
http://www.cisco.com/go/fpm
http://www.cisco.com/cgi-bin/tablebuild.pl/fpm
 Flexible Packet Matching Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd803936f6_ns696_Networking_Solutions
_White_Paper.html
 Flexible Packet Matching Feature Guide
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
 Flexible Packet Matching XML Configuration
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html
 Getting Started with Cisco IOS Flexible Packet Matching
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6
723/prod_white_paper0900aecd80633b0a.html
Monitoring and Identification
Monitoring
 Syslog
 NetFlow
 Embedded Event Manager
 CS-MARS
Syslog
 De facto logging standard for hosts, network infrastructure devices,
supported in all Cisco routers and switches
 Many levels of logging detail available—choose the level(s) which
are appropriate for each device/situation
 ACL logging is generally contraindicated due to CPU overhead—
NetFlow provides more information, doesn’t max the box
 Can be used in conjunction with anycast and databases such as
MySQL (http://www.mysql.com) to provide a scalable, robust
logging infrastructure
 Different facility numbers allows for segregation of log information
based upon device type, function, other criteria
 Syslog-ng from http://www.balabit.com/products/syslog_ng/ adds
a lot of useful functionality
Configuring Syslog on a Router
 Syslog data is invaluable
Attack forensics
Day-to-day events and debugging
 To log messages to a syslog server host, use
the logging global configuration command
logging host
logging trap <level>
 To log to internal buffer use:
logging buffered size
 Ensure timestamps
service timestamps log
 Avoid debug logging to the console
Syslog
Router# show logging | include 185
Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp
Router
192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024),
1 packet
1 packet
1 packet
192.168.208.63(55621) -> 192.168.150.77(139), 1 packet
192.168.208.63(55622) -> 192.168.150.77(139), 1 packet
192.168.208.63(55623) -> 192.168.150.77(139), 1 packet
Firewall# show logging | grep 5063b82f

Firewall
Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst
inside:192.168.150.77/389 by access-group "OUTSIDE" [0x5063b82f, 0x0]
Uses of Syslogs
 Primary mechanism to record traffic to and through

the firewall
 The best troubleshooting tool available
Archival Purposes Debugging Purposes
Console
Syslog Server
Internet
SSH Client
Trap Syslog. Buffered

SNMP Server
What Are Modifiable Syslog Levels?
[no] logging message <syslog_id> level <level>
 Modifiable syslog levels

Levels
Allows one to move any syslog message to
any level 0—Emergency
1—Alert
 Problem
2—Critical
You want to record what exec commands are 3—Errors
being executed on the firewall; syslog ID 111009
records this information, but by default it is at 4—Warnings
level seven (debug) 5—Notifications
%PIX-7-111009: User ‘johndoe’ 6—Informational

executed cmd: show run 7—Debugging
The problem is we don’t want to log all 1602 other

syslogs that are generated at debug level
How to Create Modifiable Syslog Levels
Solution
[no] logging message <syslog_id> level <level>
 Lower syslog message 111009 to level 3 (error)

ASA(config)# logging message 111009 level 3
Or
ASA(config)# logging message 111009 level error
 Now our syslog looks as follows

%ASA-3-111009: User ‘johndoe’ executed cmd: show run
 To restore the default syslog level

ASA(config)# no logging message 111009 level error
Or
ASA(config)# logging message 111009 level 7
Logging Debugs to Syslog
 Problem
Log only debug output to syslog
 Solution
Create a logging list with only syslog ID 711001
Enable debug output to syslogs
Log on the logging list
ASA(config)# logging list CiscoLive message 711001

ASA(config)# logging debug-trace
ASA(config)# logging trap CiscoLive
ACL Logging
 ACL keyword log for Cisco IOS and Cisco ASA and FWSM
 ACL keyword log-input for Cisco IOS
 ip access-list log-update threshold threshold-
in-msgs
 logging rate-limit message-rate for Cisco IOS
 Hardware support for Cisco Catalyst® 6500 series switches and
7600 series routers via Optimized ACL Logging (OAL) is enabled
beginning with 12.2(17d)SXB using the mls rate-limit
unicast ip icmp unreachable acl-drop 0 command
 ACL logging can be CPU intensive and can negatively affect
a device
Access Control List Syslog Correlation
 Correlate ACL syslog messages with a specific Access Control
Entry (ACE) configured in an ACL
 Utilizes a user-defined tag or IOS generated hash value that is
appended to an ACE generated syslog
ip access-list logging hash-generation
access-list acl permit protocol source destination log [word]
Router# show ip access-list 102
Extended IP access list 102
10 permit tcp host 10.1.1.1 host 10.1.1.2 log (tag = MyTag)
20 permit tcp any any log (hash = 0x75F078B9)
Jun 5 12:55:44.359: %SEC-6-IPACCESSLOGP: list 102 permitted
tcp 192.168.16.1(38402) -> 192.168.16.2(23), 1 packet
[0x75F078B9]
 Available in 12.4(22)T
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_a
cl_syslog.html
ACL Logging References
 Understanding Access Control List Logging

http://www.cisco.com/web/about/security/intelligence/
acl-logging.html
 Identifying Incidents Using Firewall and Cisco IOS

Router Syslog Events
identify-incidents-via-syslog.html
NetFlow: Listening to the Network
 Packet capture is like a wiretap

 NetFlow is like a phone bill
 This level of granularity allows
NetFlow to scale for very large
amounts of traffic
We can learn a lot from studying the
phone bill!
Who’s talking to whom, over what
protocols and ports, for how long, at
what speed, for what duration, etc.
NetFlow is a form of telemetry
pushed from the routers/
switches —each one can be a sensor
What Constitutes a Flow?
NetFlow 2
Key Fields
3 NetFlow
Export
Reporting Packets
 Inspect a packet’s seven key fields and identify the values

 If the set of key field values is unique, create a new flow record
or cache entry
 When the flow terminates, export the flow to the collection and/
or analysis system
Version 5: Most Commonly Used
Usage
• Packet count •• Source
SourceIPIPaddress
Address From/To
• Byte count •• Destination
DestinationIP
IPaddress
Address
Time • Start sysUpTime • Source TCP/UDP port Application

of Day • End sysUpTime • Destination TCP/UDP port
Port • Input ifIndex

Utilization • Next hop address
• Output ifIndex Routing
• Source AS bumber and
• Dest. AS bumber Peering
• Type of service
QoS • Source prefix mask
• TCP flags
• Dest. prefix mask
• Protocol
Version 5 Used Extensively Today
NetFlow
Internal Threat Information Resource
router(config)# ip cef
router(config-if)# ip flow ingress
router(config)# ip flow-export destination 10.10.10.10 9996
router(config)# ip flow-export version 5
 NetFlow is available on routers and switches

 Have syslog like information without having to buy a firewall
 One NetFlow packet has information about multiple flows
 Can access flow record data via the NetFlow MIB using SNMP
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/nflowmib.html
Header
• Sequence number Flow Flow
• Record count
• Version number Record … Record
NetFlow Cache
NetFlow: Output
Internal Threat Information Resource
Traffic Classification
Flow Summary
Detail
NetFlow Performance
http://www.cisco.com/en/US/products/ps6601/products_white_paper0900aecd802a0eb9.shtml
NetFlow Deployment Considerations
 NetFlow should typically be enabled on all router interfaces
where possible
 Useful for on-box troubleshooting via CLI and export to
analysis systems (Don’t forget about NetFlow Top Talkers)
 Ingress and egress NetFlow are now supported
Analysis systems typically must be configured to understand which is in
use, for purposes of directionality
 1:1 NetFlow is useful for troubleshooting, forensics, traffic

analysis, and behavioral/relational anomaly-detection
 Sampled NetFlow is useful for traffic analysis and
behavioral/relational anomaly-detection
Sampling is typically used in high-volume traffic situations where 1:1
NetFlow Data Export (NDE) is impractical
NetFlow Open Source Tools
Product Name Primary Use Comment OS
Cflowd Traffic Analysis No Longer Supported UNIX
Flow-tools Collector Device Scalable UNIX
Flowd Collector Device Support V9 BSD, Linux
Reporting for
FlowScan UNIX
Flow-Tools
Support V9, IPv4,
Linux, FreeBSD,
IPFlow Traffic Analysis IPv6, MPLS,
Solaris
SCTP, etc.
NetFlow Guide Reporting Tools BSD, Linux
NetFlow Monitor Traffic Analysis Supports V9 UNIX
Netmet Collector Device V5, Support v9 Linux
NTOP Security Monitoring UNIX
Reporting for
Stager UNIX
Flow-Tools
Nfdump/nfsen Traffic Analysis Supports V5 and v9 UNIX
Different Costs: Implementation and Customization

Embedded Event Manager (EEM)
 Allows instrumentation of the Cisco IOS device and reactive
capabilities that can be useful in improving security
 Available since Cisco IOS Software versions 12.0(26)S
and 12.3(4)T
 Cisco IOS documentation
Embedded Event Manager 2.2
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html
 White paper
Embedded Event Manager in a security context
embedded-event-mgr.html
 EEM scripting community
http://www.cisco.com/go/ciscobeyond
EEM Example
 Interface input queue monitor
http://forums.cisco.com/eforum/servlet/
EEM?page=eem&fn=script&scriptId=981
 Cisco applied mitigation bulletin: identifying and mitigating

exploitation of the IPv4 user datagram protocol delivery
issue for IPv4/IPv6 dual-stack routers
http://www.cisco.com/warp/public/707/
cisco-amb-20080326-IPv4IPv6.shtml
 Example syslog message: %HA_EM-7-LOG:

system:/lib/tcl/eem_scripts_registered/interface-input-q.tcl:
Interface GigabitEthernet0/0 input queue full. Input queue:
4001/4000 (size/max)
*Additional Information About EEM in a Security Context Is Available in BRKSEC-3007

CS-MARS Contextual Analysis Overview
 Events: raw messages sent to CS-MARS by reporting

devices; examples include syslog, SNMP, NetFlow,
and IPS signatures
 Sessions: correlated events
 Incidents: sessions matched against rules that are
indicative of malicious behavior
 Rules are used to perform logic on events which
create sessions and possibly incidents
CS-MARS Rules
 Over a specified time range events are correlated to

become incidents
CS-MARS Rules in Action
 Events from same source and destination IP addresses

correlated within a timeframe to become an incident
Endpoint and Network Intrusion
Detection and Prevention Capabilities
Intrusion Detection and Prevention
 Cisco Security Agent

 Cisco IPS
 CSA/IPS Collaboration
Preventing Endpoint Attacks Using CSA
 All attacks perform certain behaviors for success, CSA
allows you to defeat these actions using interceptors
 Zero-day and targeted attacks
May bypass or defeat other protection mechanisms that are deployed
 Zero-day protection = ability to stop malicious code without
reconfiguration or update
Protects endpoints from being compromised since other protections
may have failed
 Limited number of vectors into a system, one or more of
these behaviours must be used by all attacks
Stop the attack at one of these vectors, you prevent the whole attack
(several opportunities exist, not just one)
 Monitoring and controlling these behaviors prevents
malicious activity
*Information About CSA Is Presented in BRKSEC-2031, Protecting Against Data Leakage with CSA
Preventing Execution
 Cisco Security Agent
(CSA) provides multiple
interceptors for the detection
and prevention of threats
Network
File system
Configuration
Execution space
 CSA is best utilized for
preventing attacks targeting
endpoint compromise
 Do not forget about
protection methods
using your network
Policy Rules Drive Interceptors
File Execution
Security Application Network Configuration
System Space
Distributed Firewall 
Host Intrusion Detection   
Spyware and Malware Prevention   
Network Worm Prevention  
File Integrity Assurance  
Wireless Policy Controls  
Traffic Marking 
IPS and NAC Integration 
Intrusion Protection for the Network
0111111010101010000111000100111110010001000100100010001001
 Detect malicious payloads, perform behavioral analysis,

anomaly detection, policy adjustments, and rapid
threat response
 Inline protection or promiscuous mode
 Automatic threat prevention with IPS 6.x denies
packets whose risk rating value range is 90—100
 Multivector protections at all points in the network,
desktop, and server endpoints
Integration with Cisco CSA and Cisco wireless controller
Risk Rating Thresholds Drive Mitigation
Event How Urgent Is
Severity the Threat?
Signature How Prone to

Fidelity + False Positive?
Attack Is Attack Relevant to

+
Threat Rating
Relevancy Host Being Attacked?
Asset Value How Critical Is this

of Target + Destination Host?
= Risk Rating Drives Mitigation

Policy
Result: Calibrated Risk Rating Enables

Scalable Management of Sophisticated
Threat Prevention Technologies
Threat Rating
Post-Policy Evaluation of Incident Urgency
85
Threat Rating:
Threat Rating
 Dynamic adjustment of event Attack 1:
Risk Rating based on success No Action Configured
of response action Risk Rating = 85
 If response action was applied, then Threat Rating = 85
55
Risk Rating is deprecated (TR < RR)
 If response action was not applied,
then Risk Rating remains unchanged
(TR = RR) Attack 2:
Action Configured
Benefit:
Attack Mitigated
 Prioritizes alerts for operator attention Risk Rating = 85
 Operator can focus incident response Threat Rating = 55
activities on those threats that have
not been mitigated
Event Action Overrides
ips6x# configure terminal
ips6x(config)# service event-action-rules rules0 Global Overrides for
ips6x(config-eve)# show settings
-----------------------------------------------
All IPS Events
overrides (min: 0, max: 15, current: 3)
-----------------------------------------------
<protected entry>
action-to-add: deny-packet-inline <defaulted>
-----------------------------------------------
Automatic Threat
override-item-status: Enabled <defaulted> Prevention (IPS 6.x)
risk-rating-range: 90-100 <defaulted>
-----------------------------------------------
action-to-add: produce-alert
----------------------------------------------- Write evIdsAlert
override-item-status: Enabled <defaulted>
risk-rating-range: 0-35 default: 0-100
to EventStore
-----------------------------------------------
action-to-add: produce-verbose-alert
-----------------------------------------------
Write evIdsAlert to
override-item-status: Enabled <defaulted> EventStore with
risk-rating-range: 35-90 default: 0-100
-----------------------------------------------
triggerPacket
IPS Mitigations and Responses
 Denied traffic is performed by a device inspecting flows

Quick and effective for all protocols
 Shunned traffic is performed by an auxiliary device

Mitigate closer to the miscreant
Potential DoS vector is preventable utilizing never block or
event action filters
Some time latency
 TCP RST performed for connection-based

traffic streams
Limited protocol coverage and adds RST packets to network
Not required if running in inline protection mode
IPS/CSA Collaboration Benefits
 The IPS can automatically get endpoint posture

information to use in calculating the threat rating
making detection more accurate
 Undisclosed or encrypted exploits not identified by
the IPS likely are detected by CSA
 CSA-MC can correlate data and create automated
watch lists which can be forwarded to the IPS and
automatically adjust the threat rating for events
seen by addresses that are part of the watch list
Automation CSA/IPS Collaboration
CSA MC Configuration IPS Configuration
Network IPS and Cisco Security
Agent Collaboration
 Enhanced contextual analysis of endpoint
 Ability to use CSA inputs to influence IPS actions
 Correlation of information contained in CSA watch list
 Host quarantining Management
Console
CSA Watch List

192.168.1.111
Service
Provider
Elevate Risk Rating

Deny 192.168.1.111
Automation CSA/IPS Collaboration
evIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low
originator:
hostId: ips6x
appName: sensorApp
appInstanceId: 388
time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT
signature: description=TCP SYN Port Sweep id=3002 version=S2
subsigId: 0
marsCategory: Probe/PortSweep/Non-stealth
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.1.111 locality=OUT
port: 55852
target:
addr: 192.168.2.222 locality=OUT
port: 663
port: 33
port: 231 Threat Rating Increased Due to Watch List
port: 564
port: 838
os: idSource=imported type=windows relevance=relevant
triggerPacket: <trucated>
riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant
watchlist=25
threatRatingValue: 77
interface: ge0_0
protocol: tcp
Reacting with BGP
Reacting with BGP
 Black Hole Filtering/Black Hole Routing

 Remote Triggered Black Hole Filtering
Destination Based
Source Based
Static
Black Hole Filtering – Destination Based
 Forwards packet to the bit bucket a.k.a. Null0

Static route added to devices in data path
Operational Overhead, have to manually configure
 Only works on destination addresses due to forwarding

logic
 Destination based BHF takes the destination offline
Self-DoS yourself, miscreant wins
Good reactive mechanism for compromised endpoints
 Traditionally used to black hole undesirable traffic

 Foundation for other remote triggered response
*Additional Information About Black Hole Filtering Is Being Presented in BRKSEC-2105,
Router Security Strategies: Securing IP Network Traffic Planes
Attack Without Black Hole Filtering
Peer A
IXP-W
A Peer B
IXP-E
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
Target
NOC
F POP Target Is G
Taken Out
Attack Without BHF – Collateral Damage
Peer A
IXP-W
A Peer B
IXP-E
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
Target
Customers
NOC
Attack Causes G
F POP
Collateral Damage
Remotely Triggered Blackhole Filtering
 Use BGP to trigger a network-wide remotely controlled
response/action to attacks
 A simple static route and redistribution into BGP will
enable a network-wide destination address black hole
as rapid as iBGP can propagate the route throughout
the network
 This provides a rapid-response tool that can be used in
handling security related events and incidents
 Forms a foundation for other remotely triggered
techniques leveraging BGP
 Often referred to as RTBH
Using Remote Triggered Blackhole
 Service providers and enterprises use frequently
 Often only scaleable answer to large-scale DoS attack
and mitigating collateral damage
Proven very effective
 Interprovider triggers not implemented
Rely on informal channels
 Service: customer triggered
Edge customers trigger the update, SP doesn’t get involved
Implication: you detect, you classify, etc.
 White list allowed traffic to prevent self-DoS
Step 1 – Prepare All Routers with Trigger
Edge Router with
Test-Net to Null0 Peer A Edge Router with
IXP-W Test-Net to Null0
Peer B
IXP-E
Sinkhole Upstream A
Network
Upstream
A
ip route 192.0.2.1 255.255.255.255 Null0
Upstream Upstream
B B
10.68.19.0/24
Target
NOC
Edge Router with G
POP
172.19.61.1 Test-Net to Null0
Step 2 – Prepare the Trigger Router
 The trigger router is the device that injects

the iBGP announcement into the network
 Should be part of the iBGP mesh – but does not have
to accept routes
 Can be a separate router (recommended)
 Can be a production router
 Can be a workstation with Zebra/Quagga (interface with
Perl scripts and other tools)
Step 2 – Trigger Router Configuration
Redistribute
Static with a !
Route-Map router bgp 65535
.
redistribute static route-map static-to-bgp
.
!
Set Next-Hop
route-map static-to-bgp permit 10 to the Trigger
match tag 66
Match Static set ip next-hop 192.0.2.1

Route Tag set community no-export
set origin igp
!
Step 3 – Activate the Blackhole
 Add a static route to the destination to be blackholed;

the static is added with the tag 66 to keep it separate
from other statics on the router
ip route 172.19.61.1 255.255.255.255 Null0 Tag 66
 BGP advertisement is propagated to BGP-speaking

routers
 Routers received BGP update, and glue it to the
existing static route; due to recursion, the next-hop
is now Null0
The BGP update
Step 3 – Activating RTBH sent out after
step 2
BGP Sent – 172.19.61.1 Next-Hop = 192.0.2.1
Static Route in Edge Router – 192.0.2.1 = Null0
The static route

entered in step 1
172.19.61.1= 192.0.2.1 = Null0
What happens
when the Next-Hop of 172.19.61.1
next-hop in Is Now Equal to Null0
the routing
table is Null0?
RTBH Mitigation in Action
Peer A
IXP-W
A Peer B
IXP-E
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
iBGP
Advertises
Target List of
Blackholed
Prefixes
NOC
G
F POP
Black Hole Filtering – Source Based
 What do we have?
Blackhole Filtering – if the destination address equals
Null0, we drop the packet
Remote Triggered – trigger a prefix to equal Null0 on routers
across the Network at iBGP speeds
Unicast RPF Loose Check – if the source address equals Null0,
we drop the packet
 Put them together and we have a tool to trigger drop for

any packet coming into the network whose source or
destination equals Null0
Edge devices must have static route configured
BGP trigger sets next hop – in this case the attacker is the
source we want to drop
 Dropping on destination is very important

Dropping on source is often what we really want
 Requires Unicast RPF

 Reacting using source address provides some
interesting options
Stop the attack without taking the destination offline
Filter command and control servers
Filter (quarantine) infected end stations
 Must be rapid and scalable

Leverage pervasive BGP again
 Advantages for using source-based filtering
No ACL update
No change to device configuration
Drops happen in the forwarding path
Frequently changes when attack profiles are dynamic
 Weaknesses when using source-based filtering
Source detection and enumeration
Attack termination detection (reporting)
Will drop all packets with source and destination on all
triggered interfaces, regardless of actual intent
Remember spoofing, don’t let the miscreant spoof the true
source-based target and trick you into black holing them
Whitelist important sites that should never be blocked
Source-Based RTBH – Drop At the Edge
Edge Routers Edge Routers
Peer A Drop Incoming
Drop Incoming IXP-W
Packets Based on Packets Based on
A Peer B Their Source
Their Source
Address IXP-E
Address
Upstream A D
Upstream
A B
C
Upstream Upstream
B B
E
iBGP
Advertises
Target List of
Blackholed
Prefixes
Based on
NOC Source
G
F POP Addresses
What If I Can’t Deploy RTBH?
 Start with Unicast RPF and static routes to Null0
 Results in traffic source drops
interface g0/0
ip verify unicast source reachable-via rx allow-default
ip route 10.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
 For example, traffic from 10.1.1.1 will be discarded

 Can be deployed in reaction to attacks
 A start but won’t be fast and doesn’t scale
Utilizing Internal RTBH Deployment
 Both source and destination drops can be used

internally
Source drops likely the most interesting case
Destination drops still result in target DoS
Don’t forget the Internet and WAN edges
 Provides an effective mechanism to handle internal

attacks
Drop traffic from worm-infected device
Quarantine owned devices on the network
Protecting your infrastructure
Whitelist to prevent self DoS
Case Study
Microsoft Server Service,
MS08-067 (CVE-2008-4250)
Microsoft Server Service, MS08-067
 Scan for endpoints 1. Probe
listening on TCP/445 2. Penetrate [variant dependent]
 Guess and/or predict 3. Persist [variant dependent]
credentials on TCP/445 4. Propagate [variant dependent]
5. Paralyze
 Deliver buffer overflow

over in Server Service
via TCP/445
 Exploit via mapped and
1 removable drives
 Create new files
2  Modify registry
Victim 3  Open a web listener on random port
from 1024-9999
4  Infected device scans for  Accept commands via MS08-067
MS08-067, exploits, and hot Peer-to-Peer (P2P)
5 patches vulnerability  Scheduled task used to execute
 Connect to HTTP and/or malcode
Peer-to-Peer C&C  DNS hooking
 Opens a web-listener on  IP address filtering
1024-9999  Malcode hot patch for MS08-07
 Exploit via network shares evades detection tools
 Updates via P2P  Weaken security settings
 Random domain name space  Terminate system and
 Variant dependent  Validate encrypted and security services
signed download content
Conficker a.k.a. Downadup
and MS08-067
Conficker.B Spreads
29 December 2008
38 Days After Conficker.A
Network Share Exploitation Using 445/tcp Added
Removable Drive Propagation Added
Connects to a Different Set of 250 Randomly
Generated Domains/Hosts Day
MD6 Hashing w/4096-bit RSA Digital Certificate
Conficker.A Spreads
21 November 2008
Exploits MS08-067
DNS Hooking
Connects to 250 Randomly Generated SRI Conficker Analysis Published
Domains/Hosts Day 4 February 2009
MD5 Hashing w/1024-bit RSA Digital Certificate
MS08-067 Published MIT MD6 Buffer Overflow Patched

23 October 2008 15 January 2009
Cisco Security Agent Prevents Exploitation Using Conficker.A+B Affected by this Vulnerability
Default Desktop or Default Server Policies
Major Growth in Conficker.A+B Population
MIT MD6 Hash Released 15 January 2009—15 February 2009
15 October 2008
Oct 2008 Nov 2008 Dec 2008 Jan 2009 Feb 2009 Mar 2009
Conficker a.k.a. Downadup
and MS08-067(Cont.)
Conficker.D Discovered
4 March 2009 Conficker.E
65 Days After Conficker.B and 12 Days After Conficker.C 8 April 2009
Connects to 500 Random Hosts per-Day (24 Hours) Out of 27 Days After Conficker.D
50k Randomly Generated Domains on 1 April 2009 Updates Conficker.B+.C+.D
Peer-to-Peer with Other Conficker.D Infected Nodes Deletes Itself on May 3
MIT MD6 Vulnerability Patched
MS08-067 Scanning Removed
More Processes Added to Termination List Conficker.D
DNS Blacklist Updated for Security-Related Web Sites 1 April 2009, April Fools Is Here—Everything Is Melting :D
Transition to the New Phone-Home Method
Conficker.C Discovered
Media Goes Crazy over Conficker.D
20 February 2009
30 March 2009—3 April 2009
53 Days after Conficker.B
Accept Commands from Other Conficker Nodes Using
Various Detection Tools and Research Published
Peer-to-Peer (P2P) via MS08-067 Vulnerability
30 March 2009— 4 April 2009
Conficker Begins to Shift to a Resilient P2P Architecture
Conficker Working Group Announced SRI Conficker.C Analysis Published

12 February 2009 8 March 2009
DNS Mitigation by CWG for Conficker.A+B DNS Mitigation by CWG for Conficker.C
15 February 2009—??? 4 March 2009—???
Feb 2009 Mar 2009 Apr 2009 May 2009 Jun 2009 ??? 2009
Conficker/Downadup At Work
 Exploits vulnerability in Windows server service

MS08-067 (445/tcp)
 Originally uses HTTP as it’s Command and Control

(C&C) channel
 Criminals are smart, they monitor advancements in
technology and use it to their advantage
Conficker.A uses MD5 with 1024-bit RSA digital certs
Conficker.B moves to MD6 with 4096-bit RSA digital certs
Buffer overflow patched in MD6 on 15 January 2009
Criminals patch MD6 in the Conficker.D variant, 4 March 2009
 Adds ability to infect via network shares and

removable media
 DNS hooking used to prevent infected devices from
accessing security-related sites for assistance
Blacklist updated with new variants
 Process list monitoring and process termination

Process list updated with new variants
 Criminals monitor what the industry is doing to

prevent their malicious behaviors and move to a new
Peer-to-Peer (P2P) C&C channel
Formation of Conficker Working Group (CWG)
DNS mitigations
 New P2P C&C channel is more resilient and accepts

commands from other Conficker infected nodes
 Media frenzy for April Fools doesn’t pan out
 While nothing major happened—Conficker is still hard
at work and devices are still infected, being infected,
being updated, along with other malicious behaviors
Begins to download new/existing malware—Waledac
Mitigating and Detecting Exploitation
 Cisco Security Agent (CSA)

Interceptors prevent exploitation via network vector and
mapped/removable drives
 Patch for vulnerability

Auto-updates or other patch management solutions
Windows Server Update Services (WSUS)
 ACLs
Mitigation to Layer 3 and Layer 3 boundary where deployed
VLAN maps or Port ACLs for L2 access control (if needed)
If service is required, ACLs provide no value to those permitted
access to the service
Mitigating and Detecting Exploitation
 IPS signatures
Intelligence about the vulnerability on the wire
Better when application is required or ACLs do not suffice
Mitigates if sensor is deployed inline or only if configured
 NetFlow traffic analysis

Deviations from baseline traffic profile
Comparison with known malicious sources
 DNS query analysis

Cyber criminals leverage DNS to distribution command and
control channel information (rendezvous points)
Mitigation: CSA
Security Application Interceptors

Prevent Code Execution in Many Cases
Must Be in Protect Mode to Prevent
Mitigation: Cisco IOS ACL (Modularized)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
Mitigation: FW ACL (Modularized)
Firewall# show access-list tACL

access-list tACL line 1 deny ip host 127.0.0.0 any
access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any
access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0
--------- Output Truncated -------
access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo
--------- Insert ACE Rules -------
access-list tACL line 19 permit tcp any host 192.168.100.10 eq www
access-list tACL line 20 permit tcp any host 192.168.100.10 eq https
access-list tACL line 35 deny ip any any
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445
Detection: ACL Counters

-------- Output Truncated ---------
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=912)
Firewall ACL Counters
Router#show access-lists ACCESS-LIST Router ACL Counters

Extended IP access list ACCESS-LIST
-------- Output Truncated -------------

500 deny tcp any 192.168.100.0 0.0.0.255 eq 445 (371 matches)
Detection: Firewall Syslog Events
Nov 16 2008 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35565 to 192.168.1.34/445 flags SYN on interface outside
Detection: IPS
Signature ID Description Attack Phase
7280/0 Windows Server Service Detect and/or Prevent Vulnerability
7280/1 Remote Code Execution Exploitation; Penetrate
Multiple Account Lock Messages,
Access to ADMIN$, Write to system32;
13491/0 Worm Activity—Brute Force
Persist and Propagate (5602/0,
5605/0, and 5589/0)
40 Account Lock Messages
13492/0 Worm Activity—Brute Force Within 60-Seconds; Persist and
Propagate (5605/0)
16293/0
Detects Shellcode Used by Conficker.A
16293/1 Conficker Worm Shellcode
Variant; Propagate
16293/2
Potential Conficker Command Detects Request via C&C;
16296/0
and Control Request Persist and Propagate
16297/0 Multiple SMB Logon Failures, 9 in 30
Worm Activity—Brute Force
16297/1 Seconds; Persist and Propagate
References
 Microsoft Security Bulletin MS08-067, Vulnerability in Server
Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
 Cisco Applied Mitigation Bulletin: Out-of-Band Microsoft

Security Bulletin for October 23, 2008
 Cisco IntelliShield Vulnerability Alert: Microsoft Windows

Server Service Remote Procedure Call Request Handling
Code Execution Vulnerability, 16941
References (Cont.)
 Cisco IntelliShield Malicious Code Alert: Worm:
W32/Conficker.worm, 17121
 Microsoft Malware Protection Center: Win32/Conficker

http://www.microsoft.com/security/portal/Entry.aspx?name=Win32/
Conficker
 Conficker Worm: Help Protect Windows from Conficker

http://technet.microsoft.com/en-us/security/dd452420.aspx
 Information About Worm:Win32/Conficker.D

http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-
worm-win32-conficker-d.aspx
References (Cont.)
 Win32/Conficker Variants Update
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-
variants-update.aspx
 Information About Worm:Win32/Conficker.D

http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-
variants-update.aspx
 Conficker Working Group (CWG)

http://www.confickerworkinggroup.org/wiki/
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/
InfectionDistribution
 CERT NetSA: SiLK Conficker.C Plugin

https://tools.netsa.cert.org/wiki/display/tt/SiLK+Conficker.C+Plugin
References (Cont.)
 SRI Conficker Analysis, An Analysis of Conficker’s Logic
and Rendezvous Points
http://mtc.sri.com/Conficker
http://mtc.sri.com/Conficker/addendumC/index.html
http://mtc.sri.com/Conficker/contrib/plugin.html
http://mtc.sri.com/Conficker/contrib/scanner.html
 Containing Conficker
http://iv.cs.uni-bonn.de/conficker
http://www.honeynet.org/papers/conficker
http://www.honeynet.org/node/388
Key Take Aways
 Know your infrastructure and its capabilities as many

features are already embedded
 Know your information sources and correlate data to
make meaningful and actionable intelligence out of it
 Leverage multiple protection methods that compliment
one another as any method can fail, be bypassed, or
defeated
 Deploy appropriate protection methods closest to the
victim and malicious user
 Do not forget the human layer, educate your users
and provide security awareness training
Recommended Reading
 Continue your Cisco Live
learning experience with further
reading from Cisco Press®
 Check the Recommended
Reading flyer for suggested books
Available Onsite at the Cisco Company Store

Recommended Reading
 Additional resources for
your security library
 Check the
Recommended Reading
flyer for suggested books
Available at Your Local Book Stores

Complete Your Session Evaluation
 Please give us your feedback!!

Complete the evaluation form you were
given when you entered the room
 This is session BRKSEC-2004
Don’t forget to complete the overall

event evaluation form included in
your registration kit
YOUR FEEDBACK IS VERY

IMPORTANT FOR US!!! THANKS
Appendix
Strive for Operational Simplicity
 Network ops is critical to security system design

How will your system hold up under attack?
Do you have the tools needed to respond effectively?
 Good management tools

Ensure manageability when under attack
Excellent visibility of threats
 Good operational processes

Ensure late night changes will not cripple security
Monitoring tools, responding to, and handling incidents
 Operational simplicity helps reduce downtime
Threat and Attack Models
Description
Resource  DoS attack makes target unavailable for its intended service
Exhaustion
Attacks  Attempted by direct, transit, or reflection-based attack
 Uses packets that masquerade with false data (such as source IP
Spoofing Attacks
address) to exploit a trust relationship
 Prevents upper-layer communication between hosts or hijacks
established session
Transport
Protocol Attacks  Exploits previous authentication measures
 Enables eavesdropping or false data injection
 Prevents or disrupts routing protocol peering or redirects traffic

Routing Protocol flows
Attacks  Attempts to inject false information, alter existing information, or
remove valid information
*Detailed Information About IPv6 Threats and Mitigations is Available in BRKSEC-2003

Threat and Attack Models (cont.)
Description
Attacks Against Attacks against DHCP, DNS, and NTP
Control-Plane
Services Affects network availability and operations
Unauthorized  Attempts to gain unauthorized access to restricted systems and

Access Attacks networks
Software  Software defect that may compromise confidentiality, integrity, or

Vulnerabilities availability of the device and data plane traffic
Malicious  Gathering info about a target device, network, or organization

Network  Enables attacker to id specific security weaknesses that may be
Reconnaissance exploited in a future attack.
Application Layer Protocol Inspection
 Regex introduced in 7.2 provides ability to filter
specific traffic
Not available on FWSM
Firewall# show run all | include regex _default_
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-
[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger
"[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-
][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger
"[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
FPM Monitoring
 Show all or designated FPM class maps
rtr# show class-map type [stack | access-control] [<name>]
 Show all or designated FPM policy maps
rtr# show policy-map type access-control [<name>]
 Show FPM policy maps on designated interface. Also show
number of packets matched
rtr# show policy-map type access-control interface <interface>
or
rtr# show policy-map type access-control control-plane <>
 Show runtime classification information for loaded FPM classes
and policies
rtr# show protocols phdf <loaded-protocol>
 Show listing of user-defined PHDFs stored locally on router
rtr# dir disk0:*.phdf
 Track all FPM events in both control plane and data plane
rtr# debug fpm event
FPM Capability Phasing
FPM FPM
FPM FPM
Functionality ACL Phase 1 Phase 1+
12.4(15)T Phase 3
12.4(4)T 12.4(6)T1
No. of ACEs per Interface Unlimited 32 classes 32 classes Unlimited Unlimited
No. of Match Criteria/ACE 4 8 8 Unlimited Unlimited
Depth of Inspection 44 Bytes 256 Bytes 256 Bytes Full Pkt Stream
Raw Offset No Yes Yes Yes Yes
Relative Offset (Fixed
No Yes Yes Yes Yes
Header Length Support)
Dynamic Offset (Variable
No No No Yes Yes
Header Length Support)
Match on Payload
No No No No Yes
TLV Fields
Nested Policies No Yes Yes Yes Yes
Nested Class-Maps No No No Yes Yes
Regex Match No Yes Yes Yes Yes
String Match No No Yes Yes Yes
Match String Pattern
No 32 Bytes 32 Bytes 256 Bytes Full Pkt
Window
IPv4, TCP, Phase 2 + DNS,
IPv4, TCP, Phase 1+ +
Protocol Support UDP, ICMP, Phase 1 SNMP, HTTP,
UDP, ICMP GRE, IPSec
Ethernet IPv6
FPM Performance vs. Equivalent ACLs
 Compare FPM to ACL processor utilization percent
 Ten FPM classes or equivalent ACL
 Matching on src/dst IP addr, src/dst TCP port, and TCP protocol
 Ten TCP traffic streams, 50% of generated traffic matching
 7206VXR NPE-400, 128 MB, 12.4(4)T
Filter Type 1000 pps 2000 pps 3000 pps 4000 pps 5000 pps
No Filter 13% 14% 15% 16% 17%
FPM 1st Match 38% 42% 43% 43% 43%
ACL 1st Match 30% 36% 37% 37% 37%
FPM 5th Match 42% 50% 59% 59% 59%
ACL 5th Match 32% 39% 40% 41% 41%
FPM 10th Match 42% 50% 50% 50% 50%
ACL 10th Match 32% 39% 39% 39% 39%
ASA Syslog Level vs.
Number of Messages
Log Number of Messages (SUM)
Leve Description
l Ver. 6.3 Ver. 7.0 Ver. 7.2 Ver. 8.0 Ver. 8.1
0 Emergencies 0 0 0 0 0
1 Alerts 41 (41) 62 (62) 77 (77) 78 (78) 87 (87)
2 Critical 21 (62) 29 (91) 35 (112) 49 (127) 50 (137)
3 Errors 74 (136) 274 (365) 334 (446) 361 (488) 363 (500)
4 Warnings 56 (192) 179 (544) 267 (713) 280 (768) 281 (781)
5 Notifications 21 (213) 161 (705) 206 (919) 216 (984) 218 (999)
6 Informational 95 (308) 234 (939) 302 (1221) 335 (1319) 337 (1336)
7 Debugging 15 (323) 217 (1156) 258 (1479) 266 (1585) 267 (1603)
FWSM Syslog Level vs.
Number of Messages
Log Number of Messages (SUM)

Description
Level Ver. 2.3 Ver. 3.1 Ver. 3.2 Ver. 4.0
0 Emergencies 0 0 0 0
1 Alerts 58 (58) 67 (67) 67 (67) 67 (67)
2 Critical 21 (79) 29 (96) 29 (96) 29 (96)
3 Errors 94 (173) 305 (401) 306 (402) 318 (414)
4 Warnings 131 (304) 194 (595) 196 (598) 199 (613)
5 Notifications 26 (330) 167 (762) 169 (767) 178 (791)
6 Informational 116 (446) 245 (1007) 248 (1015) 255 (1046)
7 Debugging 23 (469) 225 (1232) 225 (1240) 226 (1272)
Debug Commands
 Debugs should not be the first choice to troubleshoot

a problem
 Debugs can negatively impact the CPU of the box,
and also the performance of it; use with caution
 Debugs are not conditional*
 Know how much traffic, of the specified type, is
passing through the firewall before enabling the
respective debug
* Crypto Conditional Debugging Was Added to Cisco ASA/PIX 8.0

Debug ICMP Trace
Internet
http://www.cisco.com
 Valuable tool used to troubleshoot connectivity issues

 Provides interface and translation information to quickly
determine flow
 Echo-replys must be explicitly permitted through ACL,
or ICMP inspection must be enabled
Example debug icmp trace output
ICMP echo-request from inside:10.1.1.2 to 198.133.219.25 ID=3239 seq=4369 length=80
ICMP echo-request: translating inside:10.1.1.2 to outside:209.165.201.22
ICMP echo-reply from outside:198.133.219.25 to 209.165.201.22 ID=3239 seq=4369 length=80

ICMP echo-reply: untranslating outside:209.165.201.22 to inside:10.1.1.2
NetFlow Versions
NetFlow
Comments
Version
1 Original
5 Standard and Most Common
Specific to Cisco Catalyst 6500 and 7600 Series Switches
7 Similar to Version 5, but Does not Include AS, Interface, TCP
Flag and TOS Information
Choice of 11 Aggregation Schemes
8
Reduces Resource Usage
Flexible, Extensible File Export Format to Enable Easier
9 Support of Additional Fields and Technologies; Coming
Out Now Are MPLS, Multicast, and BGP Next-Hop
Adaptive Control Technology
Next Generation Rapid Threat Containment and Response
 Threat Mitigation Service (TMS) is a framework for
rapid network-wide distribution and response to threats
Near real-time threat response
 Threat Information Distribution Protocol (TIDP)

transports messages containing abstract information
about threats and suggested remedial actions
Threat Information Message (TIM)
 Devices are provisioned with policies for enforcement

of traffic and response actions
Access control list
Traffic redirection
Threat Information Distribution Protocol
 TIM is distributed from TIDP Mitigation Service (TMS)

controller to TIDP consumers
Threat Information Message identifies threat
TIM created in threat definition file using XML
 Messages authenticated, encrypted, and have

replay protection
 Receiving devices configured with unique policies
Device uses local policy to convert TIMs into dynamic
policy enforcement
Threat Containment Using ACT
 TIDP is a protocol that allows for the quick distribution of
information about network-based threats
 All TIDP-enabled nodes use the payload content according
to their own configuration and translate it to enforce
appropriate actions
NMS/Syslog
Server for
Logging Rules Engine
TIM * Threat Local to
Information Each Device
Distribution
Protocol
TIDP
TIM Controller
Generation Intelligence Resides in
via CLI / SDM TIM *
End Point Devices
* TIM—Threat Information Message

Automated Signature Extraction
(ASE/DASE)
 Dynamically extracts signatures for potential malware
without need for human intervention
 Utilizes a sensor  collector architecture
 Linux-based collector and TIDP (TMS) for
message exchange
 Available in 12.4(15)T
 Automatic signature extraction
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/htautosg.html
Advanced Topics
Test Yourself
 Metasploit is an exploitation framework that provides alot of flexibility to
test yourself—it’s very easy to test client and service exploits; more
information is at www.metasploit.com
 Scapy is a powerful packet manipulation program—requires some python
knowledge but is useful for creating specific types of network traffic; more
information is at http://www.secdev.org/projects/scapy/
>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)
>>> x[1].frag=145
>>> send(x) Changed the Fragment Offset
17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1),
length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length
1200
length 1220) 192.168.2.63 > 192.168.15.60: icmp
length 1220) 192.168.2.63 > 192.168.15.60: icmp
17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP
(1), length 28) 192.168.2.63 > 192.168.15.60: icmp
Security = Moving Target
 Metasploit ShikataGaNai encoder makes creating exploits
using polymorphic shell code very simple; this means that
simple string matches such as 0x90/0x90/0x90 are trivial
to avoid
 Metasploit meterpreter allows for relatively simple dll
injection and command execution that is difficult to detect
(leaves no new processes, files or network connections)
on the compromised system
 XT Bot utilized Dynamic Remote Settings Stub (DRSS) to
hide communications; think a bot that uses steganography
for communication
 Fast flux DNS for Botnet networks makes Botnet difficult
to neutralize
Deceptive Defense
 Darknets and illegal IP space
(dark space) monitoring provides
ability to more easily identify
outbreaks and aid in detecting
probing that may fall under the
normal radar
 Honeypots low interaction:
deployed inside the network these
help quickly identify compromised
systems and miscreants; real
world studies have shown a ratio
of 1/1000 IP space is effective
 Honeytokens: a purposefully set
piece of information that should
only be accessed by illegal activity
Source: Virtual Honeypots, pg. 308

Deceptive Defense Benefits
 Low false-positive rate
Attack already passes several
characteristics of valid attacks
such as illegal IP space,
non-production hosts
 Aid in zero-day detection

 Easily identifies
internal outbreaks
 Scalable, Nepenthes scales
well, Honeyd can create
large virtual networks
Utilizing Low Interaction Honeypots to
Increase Network Security?
 IPS can be configured to perform an event action override
when a predetermined threshold has been met; these
actions could be block address or deny attacker inline
which can happen for a specified time frame
 The IPS Target Value Rating (TVR) can be used to increase
the risk rating for events which happen targeting a specific
host or subset of hosts
 A low interaction Honeypot such as Nepenthes
(http://nepenthes.mwcollect.org/) could be deployed in
conjunction with an artificially-inflated TVR to trigger event
actions such as deny attacker inline to remove threats
before they attack real systems
Deceptive Defense in Action
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
Deceptive Defense Mitigating the Attack
 Signature 3338/1 Windows LSASS RPC overflow
base risk rating 75 (severity = high, fidelity = 75)
risk rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR
 Calculated for a target value rating set to high
ASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100
 Event action override 90–100 (deny attacker inline/request
block host)
Attacker Blocked
Low Interaction
Honey Pot
Internet
Hosts 192.168.100.10
Attacker
10.10.10.100 IPS Sensor
Deceptive Defense Caveats
 Make sure host can not

be used to launch attacks
(block outgoing access
from host)
 Use common sense,
the Honeynet project,
http://www.honeynet.org/,
has several research
papers and presentations
available
Remotely Triggered Blackhole
 Configure all edge routers with static route
to Null0 (must use reserved network)
ip route 192.0.2.1 255.255.255.255 Null0
 Configure trigger router

Part of iBGP mesh
Dedicated router recommended
 Activate blackhole
Redistribute host route for victim into BGP with
next-hop set to 192.0.2.1
Route is propagated using BGP to all BGP speaker
and installed on routers with 192.0.2.1 route
All traffic to victim now sent to Null0
Step 1—Prepare All Routers with Trigger
 Select a small block that will not be used for anything

other than blackhole filtering—test Net (192.0.2.0/24)
is optimal
 Put a static route with a /32 from Test-Net—
192.0.2.0/24 to Null0 on every edge router on the
network
ip route 192.0.2.1 255.255.255.255 Null0
Sinkhole Routers/Networks
 Sinkholes are a topological security feature—
think network honeypot
 Router or workstation built to suck in traffic and assist
in analyzing attacks (original use)
 Redirect attacks away from the victim—a working the
attack on a router built to withstand the attack
 Used to monitor attack noise, scans, data from
misconfiguration and other activity (via the
advertisement of default or illegal IP space)
 Traffic is typically diverted via BGP route
advertisements and policies
 Leverage instrumentation in a controlled environment
Pull the traffic past analyzers/analysis tools
BGP Sinkhole Trigger
 Leverage the same BGP technique used for RTBH

 Dedicated trigger router redistributes more specific
route for destination being re-rerouted
Next-hop set via route-map
 All BGP-speaking routers receive update

 Complex design can use multiple route-maps and next-
hops to provide very flexible designs
 May require BGP on all routers
Example—BGP Sinkhole Triggers
 Sinkhole IP: 192.0.2.8
 Victim IP: 192.168.20.1
 Trigger router configuration
router bgp 65500
redistribute static route-map static-to-bgp
route-map static-to-bgp permit 10

match tag 66
set origin igp
set next-hop 192.0.2.8 <-- sinkhole address, not Null0
set community NO-EXPORT
ip route 192.168.20.1 255.255.255.255 Null0 tag 66
 All traffic destined to 192.168.20.1 will be redirected to the sinkhole
Sinkhole Routers/Networks
Router Advertises
192.168.20.1/32
Sinkhole
Network
Customers Customers
Customers
192.168.20.0/24—Target’s Network
Target of
Attack
192.168.20.1 Host Is Target
Cisco WebEx
Meeting Manager ActiveX Control
(CVE-2008-3558)
Cisco WebEx Vulnerability
 Vulnerability in Cisco WebEx Meeting Manager ActiveX
Control—CVE-2008-3558
http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml
 Buffer overflow in vulnerable ActiveX control—atucfobj.dll

Class Identifier (CLSID) 32E26FD9-F435-4A20-A561-35D4B987CFDC
Program Identifier (ProgID) WebexUCFObject
NewObject() method
 Successful exploitation results in arbitrary code execution

on client-side
 Allows WebEx meeting participants the ability to view
Universal Communication Format (UCF) contents
 Client-side program remotely exploited with user interaction
Web-based email messages Internet browsing
Web-based instant messaging Cross-site scripting (CSS/XSS)
Phishing
 Cisco applied mitigation bulletin: Identifying and Mitigating

Exploitation of the Vulnerability in Cisco WebEx Meeting
Manager ActiveX Control
http://www.cisco.com/warp/public/707/cisco-amb-20080814-webex.shtml
 Cisco IntelliShield vulnerability alert: Cisco WebEx

Meeting Manager WebexUCFObject ActiveX Control
Buffer Overflow Vulnerability, 16425
 WebEx meeting manager is auto-downloaded on

first connection and auto-upgraded on
subsequent connections
Preventing Vulnerability Exploitation
 Cisco Security Agent (CSA)

Interceptors prevent exploitation
 IPS signatures
Intelligence about the vulnerability on the wire
Better when application is required or ACLs do not suffice
Mitigates if sensor is deployed inline or only if configured
 Firewall HTTP application layer protocol inspection

Protection against web-based threats
Deep-packet inspection
Policy enforcement at ingress/egress access points
IPS Signature, 6988/0
sensor# show events alert | include 6988
evIdsAlert: eventId=1214370540454919078 severity=high vendor=Cisco
originator:
hostId: sensor
appName: sensorApp
appInstanceId: 28725
time: 2008/08/14 18:55:50 2008/08/14 18:55:50 UTC
signature: description=WebEx Meeting Manager ActiveX Overflow id=6988 version=S352
subsigId: 0
sigDetails: WebEx Meeting Manager ActiveX Overflow
marsCategory: Penetrate/ClientExploit/Web
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: locality=OUT 192.168.7.12
port: 80
target:
port: 2925
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
alertDetails: Component Signature List: 6988.1 5477.2 ;
riskRatingValue: targetValueRating=medium 80
interface: ge0_0
sensor#
Firewall HTTP Application Inspection
regex CLSID_activeX "32[Ee]26[Ff][Dd]9[-][Ff]435[-]4[Aa]20[-][Aa]561[-]35[Dd]4[Bb]987[Cc][Ff][Dd][Cc]"
regex ProgID_activeX "WebexUCFObject.WebexUCFObject.1"
! Create Regex Match
class-map type regex match-any vulnerable-activeX-class
match regex CLSID_activeX
match regex ProgID_activeX
Create Regex Class Map
!
object-group service WEBPORTS tcp
port-object eq www Create Object-Group w/Port List
port-object eq 3128
port-object eq 8000
port-object eq 8010
port-object eq 8080
port-object eq 8888
port-object eq 24326
!
Create Access-List Containing Object-Group
access-list Webports-ACL extended permit tcp any any object-group WEBPORTS
!
class-map Webports-Class
match access-list Webports-ACL Create Class-Map Matching Object-Group Traffic
policy-map type inspect http http-Policy
parameters
protocol-violation action drop-connection
Create Inspection Policy Map and Actions
match response body regex class vulnerable-activeX-Class
drop-connection log
!
policy-map global_policy
class Webports-Class
inspect http http-Policy Apply and Deploy Policy Map
!
Detection Vulnerability Exploitation
 Events in CSA agent log and management

console log
 IPS signature alerts
 Counters from show command output
 Syslog events and messages
Firewall HTTP Application Inspection
firewall#show logging | grep 415007
Aug 14 2008 14:35:54: %ASA-5-415007: HTTP - matched response
body regex class vulnerable-activeX-Class in policy-map
http-Policy, Body matched - Dropping connection from
outside:192.0.2.117/2329 to inside:192.168.60.65/80
Aug 14 2008 14:36:57: %ASA-5-415007: HTTP - matched response
body regex class vulnerable-activeX-Class in policy-map
http-Policy, Body matched - Dropping connection from
outside:192.0.2.150/2330 to inside:192.168.60.65/80
firewall#
firewall# show service-policy inspect http

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: Webports-Class
Inspect: http http-Policy, packet 5025, drop 20, reset-drop 0
protocol violations
packet 0
match response body regex class vulnerable-activeX-Class
drop-connection log, packet 20
firewall#
References
 [Full-disclosure] Webex atucfobj Module ActiveX Control
Buffer Overflow Vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html
 US-CERT Vulnerability Note VU#661827

http://www.kb.cert.org/vuls/id/661827
 Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX

Remote BOF Exploit
http://www.milw0rm.com/exploits/6220
 WebEx Meeting Manager atucfobj.dll ActiveX Control

Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/30578/
References (Cont.)
 Preventing ActiveX Exploits with Cisco Firewall Application
Layer Protocol Inspection
actX-ALPI_amiddleton.html
 ActiveX—Active Exploitation (Warlord, 2008)

http://www.uninformed.org/?v=9&a=2&t=sumry
 How to Stop and ActiveX Control from Running in

Internet Explorer
http://support.microsoft.com/kb/240797
Windows TCP/IP,
MS08-001 (CVE-2007-0069,
CVE-2007-0066)
Vulnerabilities
 Windows kernel TCP/IP IGMPv3 and MLDv2 vulnerability—
CVE-2007-0069
Remote code execution or denial-of-service utilizing crafted packets
over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server
2003) or MLDv2/IPv6 (Windows Vista)
 Windows kernel TCP/IP ICMP vulnerability—

CVE-2007-0066
Denial-of-service utilizing fragmented ICMP router advertisement packet
 Microsoft security bulletin MS08-001: Critical Vulnerabilities

in Windows TCP/IP Could Allow Remote Code Execution
(941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
IGMPv3/MLDv2
 RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236,
IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710
 Both protocols provide essentially the same
multicast functionality
 Not much information in the initial advisory however a
miscreant could potentially get in the ballpark by looking at
what features have been added between protocol versions
 Routers will not forward multicast unless configured to do so
Will forward LSRR and SSRR packets unless disabled
 A working exploit could potentially own or DoS all hosts that

are part of a multicast group on a local network
 Encapsulation or social engineering could be used to
traverse Layer 3 boundaries
ICMP Type 9 RFC 1256
 A host never sends Type 9 messages (if obeying the RFC)
 Valid destination addresses are 224.0.0.1 224.0.0.2 and
255.255.255.255
 Therefore this is all link local, Layer 3 controls provide little
benefit except in possible corner cases; preventing hosts
from sending ICMP Type 9 messages at Layer 2 will
mitigate the vulnerability
 Since the vulnerability requires fragmentation, preventing
fragmentation is an effective mitigation
 A miscreant could potentially encapsulate this message
in something else such as loose source route to make the
message appear as if it were from a router and to be able
to perform the exploit form non local networks
Mitigating the Vulnerability
 Cisco IOS
ACL’s fragmentation filtering, protocol filtering, options filtering
Layer 2 preferred
Features such as no ip source route, ip options drop
 IPS signatures
6224/0, 6755/0, and 2150/0—fragmented ICMP traffic
(2150/0 is available via ip audit in ASA and FWSM)
Provides no mitigation unless directed to do so
 ASA and FWSM

Default handling of IP options, drop packets with options present
fragment chain command
 Endpoint patch or host firewall
Mitigation: Cisco IOS Features and ACLs
Router(config)#no ip source-route
Router(config)#ip options drop
% Warning: RSVP and other protocols that use IP Options packets

may not function as expected.
----------

Router(config-ext-nacl)#deny ip any any fragments
Router(config-ext-nacl)#deny icmp any any router-solicitation
Router(config-ext-nacl)#deny ip any any option lsr
Router(config-ext-nacl)#deny ip any any option ssr
Mitigation: Cisco IOS VACL
!-- Create ACLs that match traffic. Action will be applied
!-- in VLAN map section.
!
ip access-list extended match-igmp-router
permit igmp host 192.168.100.1 any
!
ip access-list extended match-icmp-router
permit icmp host 192.168.100.1 any router-advertisement
!
ip access-list extended match-igmp-subnet
permit igmp 192.168.100.0 0.0.0.255 any
!
ip access-list extended match-icmp-subnet
permit icmp 192.168.100.0 0.0.0.255 any router-advertisement
!
ip access-list extended match-all-subnet
permit ip any any
!
Mitigation: Cisco IOS VACL (Cont.)
vlan access-map ms08-001 10
Permit Router to Send IGMP Anywhere
match ip address match-igmp-router
action forward
Permit Router Interface to Send ICMP Anywhere
match ip address match-icmp-router
action forward
Drop IGMP for Rest of Subnet
match ip address match-igmp-subnet
action drop
Drop ICMP Type 9
match ip address match-icmp-subnet
action drop
Permit All Other Traffic
match ip address match-all-subnet
action forward
!
!-- Apply to VLAN 100
Apply to VLAN 100
vlan filter ms08-001 vlan-list 100
Mitigation: ASA and FWSM
!-- Fragment chain command can be used to prevent fragments from traversing
!-- through the firewall or specific interfaces
Firewall(config)#fragment chain 1 [interface_name]
Effectively Denies All Fragments
!-- Cisco Cisco ASA adaptive security appliances and (FWSMs) will, by default,
!-- drop all source-routed packets received on any interface and create an
!-- informational-level (severity 6) syslog message
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"
106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"
Additional Mitigation and Monitoring
 Layer 2 spoofing features such as IPSG and DHCP

snooping or port security
 Check device configuration for allowing multicast
MS08-001 References
 Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in
Windows TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx
 MS08-001 (part 2)—the Case of the Moderate ICMP Mitigations
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-
the-moderate-icmp-mitigations.aspx
 MS08-001 (part 3)—The Case of the IGMP Network Critical
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-
the-igmp-network-critical.aspx
 MS08-001—the Case of the Moderate, Important, and Critical
Network Vulnerabilities
http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-the-
moderate-important-and-critical-network-vulnerabilities.aspx
 MS08-001—The Case of the Missing Windows Server 2003
Attack Vector
http://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-
case-of-the-missing-Windows-Server-2003-attack-vector.aspx
MS08-001 References (Cont.)
 Cisco applied mitigation bulletin: Microsoft Security Bulletin
for January 2008
 Cisco IntelliShield vulnerability alert ID 14854:
Microsoft Windows Kernel IGMP and MLD Code
Execution Vulnerability
 Cisco IntelliShield vulnerability alert ID 14853:
Microsoft Windows Kernel ICMP Router Discovery
Protocol Denial-of-Service Vulnerability
 Exploit for MS08-001 demonstrated
http://blogs.pcmag.com/securitywatch/2008/01/exploit_for_
ms08001_demonstrat.php
Storm Class Malware, CME711
Storm Malware, CME711
 Spam and social
engineering convince
user to download
executable
 Download malicious
software to end host
Probe [Exploit Dependent]
1
2 Penetrate [Exploit Dependent]
 Download software
Victim 3 Persist [Exploit Dependent]  Join P2P network
 Open up UDP port on local
4 Propagate [Exploit Dependent] host above 1024
 Spam
5
Paralyze  DDos
 Update
Exploit Specific
Malware in Action: CME711
Infected BotHerder
Webserver
1
1. BotHerder updates 4
malcode on webtrap
2. Initiate new spam
pointing to webtrap
3
3. User reads the spam
and clicks link Infected
4. User machine infected
Mitigating CME711
Infected BotHerder
Webserver
1. Break initial
exploitation vector 1
2. Break infection
vector
3. Break joining botnet 3
Breaking the Bot
 Initial vector through spam message
User education and spam filtering
 Host downloads malware from webserver
Mitigate vulnerabilities on host (patch and best practices)
Use AV or HIPS to prevent exploitation
Web content filter
DNS blackholing
 Host opens UDP port above 1024 and communicated

with P2P network UDP 1024:65535  UDP 1024:65535
ACLs/FPM
DNS
Syslog analysis and NetFlow
Mitigation: ACLs
!-- Router Router
!-- Deny UDP packets in Range 1024 - 65535
Router(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 range 1024
65535 any range 1024 65535
Firewall
!-- Firewall Configuration
Firewall(config)# access-list storm-udp extended deny udp
192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535
What About FPM?
 The P2P traffic is encrypted with a simple key, works and is
functional could change
 Snort signatures from
http://doc.emergingthreats.net/2007701
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)";
dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2,
seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;)
(msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)";
dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1,
(msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”;
dsize:25; content:”|10 a0 d4 c3|”; depth:4; threshold: type both, count 1,
Source: EmergingThreats.net
Mitigation: FPM for Encrypted Storm
load protocol disk0:udp.phdf
Load PHDFs for IP and UDP
!
class-map type stack match-all ip_udp_class
description “match UDP over IP packets” Match UDP over IP Packets
!
class-map type access-control match-all encrypted_storm
description “match encrypted storm, cme711 packets” Match Storm, CME711
match field udp dest-port range 1024 65535 Packets: UDP port
match field udp length eq 33 1024:65535, UDP+Payload
match start udp payload-start offset 0 size 2 eq 0x10a6 Length 33bytes, and Regex
!
policy-map type access-control fpm_udp_policy
class encrypted_storm
Policy for UDP-Based Attacks
drop
log
!
policy-map type access-control fpm_policy
class ip_udp_class
service-policy fpm_udp_policy Drop Worms and Malicious Attacks
!
service-policy type access-control input fpm_policy
Apply and Enable FPM Policy
Mitigation: Deny Downloader
via HTTP Inspection
regex exe_url ".*\.[Ee][Xx][Ee]"
! --Create Regex Class Map
class-map type regex match-any bad_urls
match regex exe_url
class-map type inspect http match-any http-urls
match request uri regex class bad_urls
class-map http-port
match port tcp eq www
!-- Create Policy Map, actions set to Drop and Log
policy-map type inspect http http-policy
parameters
class http-urls
drop-connection log
!-- Apply and enabled “EXE Downloader” policy
class http-port
inspect http http-policy
Mitigation: Deny Botnet Access
via DNS Inspection
regex bad_domain1 “tibeam\.com“ Domains from
regex bad_domain2 “tushove\.com“ http://www.disog.org/text/storm-fastflux.txt
regex bad_domain3 “kqfloat\.com“
!
class-map type regex match-any bad_domains
match regex domain1
match regex domain2
match regex domain3
!
class-map type inspect dns bad_domain_query
match not header-flag QR
match question
match domain-name regex class bad_domains
!
policy-map type inspect dns bad_domain_policy
class bad_domain_query
drop log
!
class-map inspection_default
match default-inspection-traffic
!
policy-map egress_policy
class inspection_default
inspect dns bad_domain_policy
!
service-policy egress_policy interface inside
!
Identification
 NetFlow or syslog communication UDP 1024:65535–

UDP 1024:65535
 NetFlow changes in behaviour during spamming
or DDos
 IPS signatures 5894/0 and 5894/1
 ACL counters
Storm Worm References
 Storm Worm DDoS Attack
http://www.secureworks.com/research/threats/view.html?threat=storm-worm
 Storm (Worm) Peacomm Analysis
http://www.cyber-ta.org/pubs/StormWorm/report/
 Schneier on Security
http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
 April Storm’s Day Campaign
http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/
 Antirootkit.com blog
http://www.antirootkit.com/blog/category/storm-worm/
 The Evolution of Peacomm to all-in-one Trojan
http://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evol
ution_of_peacomm_to_al.html
 Known Storm Fast Flux Domains
http://www.disog.org/text/storm-fastflux.txt
Windows DNS Server RPC
Interface, MS07-029
(CVE-2007-1748)
Microsoft DNS Server RPC Interface
 Query RPC endpoint
mapper on TCP/135 for
vulnerable ports or scan
TCP/1024-5000
 Guess user accounts on
TCP/139 and 445
 Deliver buffer overflow

Probe ports TCP/139 TCP/445
1 UDP/445 TCP 1024-5000
2 Penetrate
 Download and copy malicious
code to C:\U.exe
Victim 3 Persist [Variant Dependent]
 Create back door access
4 Propagate [Variant Dependent]  Connect to command and
control on TCP port 8080
5
Paralyze
 W32/Nirbot.worm!
83E1220A
Malcode Specific
Mitigating the Vulnerability
 ACLs
Mitigation to L3 boundary where deployed, VLAN maps,
port ACLs for L2 access control if needed
If application is required ACLs provide no value to those
allowed access
 IPS signatures
Understand application/vulnerability better when application
is required or ACLs do not suffice
Provides no mitigation unless directed to do so
 Endpoint CSA or patch

Prevents exploitation
Mitigation: Cisco IOS ACL (Modularized)
----- MS RPC 0-day ACEs -----
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob
530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns
540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,
!-- and RinBot scanning for hosts
!-- that are vulnerable
550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans
Mitigation: FW ACL (Modularized)
access-list tACL line 1 deny ip host 127.0.0.0 any
access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any
access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0
access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo
access-list tACL line 19 permit tcp any host 192.168.100.10 eq www
access-list tACL line 20 permit tcp any host 192.168.100.10 eq https
access-list tACL line 35 deny ip any any

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 445
access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 1025
access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000
Mitigation: IPS Signature 5858
ips6x#show events alert | include id=5858
------------Output Truncated ----------
signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282
subsigId: 0
sigDetails: DNS Server RPC Interface Buffer Overflow
marsCategory: Penetrate/BufferOverflow/RPC
interfaceGroup: vs0
vlan: 0
Signature Description and ID
participants:
attacker:
port: 1063
target: OS Identification/Relevancy
addr: locality=IN 192.168.1.11
port: 1032
os: idSource=learned type=windows-nt-2k-xp relevance=relevant
actions:
deniedPacket: true
Risk Rating/Action/Threat Rating
riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant
interface: ge0_0
protocol: tcp
Mitigation: CSA
Security Application Interceptors

Prevent Code Execution in Many Cases
Must Be in Protect Mode to Prevent
Identification: ACL Counters
-------- Output Truncated ---------
access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn
(hitcnt=0)
access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000
(hitcnt=106)
Router#show access-lists ACCESS-LIST

Firewall ACL Counters
Extended IP access list ACCESS-LIST
-------- Output Truncated -------------
500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 (4 matches)
510 deny tcp any 192.168.100.0 0.0.0.255 eq 139
520 deny tcp any 192.168.100.0 0.0.0.255 eq 445
Router ACL Counters
530 deny udp any 192.168.100.0 0.0.0.255 eq 445
540 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 (96 matches)
Identification: Firewall Syslog Events
May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied
192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided
Identification: IPS
Signature ID Description Attack Phase

DNS Server RPC Interface
5858/0-4 Detect Vulnerability
Buffer Overflow
Detect TCP High
3010/0 TCP High Port Sweep
Port Probe [Probe]
Detect SMB Authentication
5606/0 SMB Authorization Failure
Attempts [Probe]
SMB Login Successful
5576/0 SMB Authentication [Probe]
with Guest
5577/0 SMB Null Login Attempt SMB Authentication [Probe]
Command and Control Bot
12674/0 Non-HTTP Traffic
Access [Persist and Propagate]
The Exploits
 W32/Nirbot.worm!83E1220A
Download worm on random HTTP server port
Connect via IRC over port 8080
IRC servers include:
{blocked}.rofflewaffles.us
{blocked}.anti-viral.us
{blocked}.wayne.brady.gonna.have.to.{blocked}.us
 Exploits are sort of like chasing your tail, but there are
several patterns we can catch (this time) or ways in
which these can be mitigated
Exploit Specific
 Restricting outbound policy to a few good ports (80,

443, 53, 25, 21) will prevent IRC over 8080
 Web filtering or using a proxy may prevent download
of worm over HTTP
 ACL for blacklisting IRC C&C servers
 DNS blackholing for C&C servers (DNS resolution to
127.0.0.1)
 Firewall application inspection on port 8080
 Search transit device logs or NetFlow for IRC servers,
C&C servers
Exploit Specific: ASA HTTP Inspection
!
access-list web-ports extended permit tcp any any eq 80
access-list web-ports extended permit tcp any any eq 8080
!
class-map webports
match access-list web-ports
!
policy-map type inspect http http-policy
parameters
!
class webports
inspect http http-policy
!
!
References
 Microsoft Security Bulletin MS07-029, Vulnerability in
Windows DNS RPC Interface Could Allow Remote Code
Execution (935966)
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
 Microsoft Security Advisory (935964), Vulnerability in

RPC on Windows DNS Server Could Allow Remote
Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
 Cisco Applied Mitigation Bulletin: Identifying and Mitigating

Exploitation of the Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could
Allow Remote Code Execution
http://www.cisco.com/warp/public/707/
cisco-amb-20070413-ms-rpc-dns.shtml
References (Cont.)
 Cisco IntelliShield Vulnerability Alert: Microsoft

Windows DNS Server RPC Interface Buffer Overflow
Vulnerability, 13092
 Nirbot’s Latest Move: MS DNS Exploits [Arbor]

http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-
dns-exploits/
 W32.Rinbot.BC [Symantec]
http://www.symantec.com/security_response/writeup.jsp?docid=
2007-041701-3720-99&tabid=2
References (Cont.)
 New Rinbot Scanning for Port 1025 DNS/RPC [SANS]

http://www.isc.sans.org/diary.html?storyid=2643
 W32/Delbot-AI [Sophos]
http://www.sophos.com/security/analyses/viruses-and-
spyware/w32delbotai.html
 W32/Nirbot.worm!83E1220A [McAfee]
http://vil.nai.com/vil/content/v_142025.htm

BRKSEC2004

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC2004

Uploaded by

Copyright:

Available Formats

Octubre 5-8, 2009 Santiago, Chile

 We value your feedback—do not forget to complete

 Firewall + AV ≠ Network Security

 Network security system

 Knowledge of threats provides a firmer understanding

 Many factors threaten network infrastructures

 Clear distinction between human error and malicious

 Attacks may have additional consequences beyond the

 ACLs are most effective when the service is not

 Highly-effective deterrent to enforced boundary for

 Filter as early as possible in the network

Feature ASA and FWSM Cisco IOS

6. Incident response and countermeasure Changes Everyday

7. Explicit permit Layer 3 (good traffic) Sometimes Changes

9. Explicit deny Rarely Changes

Spoofed Source Addresses

Targeting the Infrastructure

Egress Packet Shield #2

Egress Packet Shield #1

Targeting the Customer

Permitted Customer Traffic

Denied Apps Out

 Transit Access Control Lists: Filtering at Your Edge

 Configuring Network Security with ACLs

 Protecting Your Core: Infrastructure Protection Access

 Minimize attacks that require spoofing

 Attack trace back simplified

*Detailed Information About Layer 2 Security Is Available in BRKSEC-2202

 Which mode to deploy: strict or loose?

 Effectively drop packets that lack a verifiable IPv4 or

sourceIP = any int?

 Tracking Spoofed IP Addresses

 Network Ingress Filtering: Defeating Denial of Service

 Ingress Filtering for Multihomed Networks, RFC3704

Router(config)# ip options drop

% Warning: RSVP and other protocols that use IP Options

 Some of the checks can be accomplished through

 Virtual Fragmentation Reassembly (VFR), 12.3(8)T

 Troubleshoot and verify VFR operations

 Response actions for inspect esmtp

*Detailed Information About Firewall Design and Deployment Is Available in BRKSEC-2020

Firewall(config)# service-policy egress_policy interface inside

[user@linux ~]# dig www.example.com DNS Resolver on Endpoints

;; QUESTION SECTION: Successful DNS Resolution

[user@linux ~]$ dig www.example.com

 ASA 8.0 MPF Guide

 Applying Application Layer Protocol Inspection

 Flexible Packet Matching (FPM) performs deep-packet inspection

 User-defined filtering policies (traffic classifiers)

 Adaptable to dynamically changing attack profiles

 Ability to deploy protection and prevention mechanisms closer

 Traffic Classification Definition File (TCDF), available on

Firewall# show logging | grep 5063b82f

 Primary mechanism to record traffic to and through

Trap Syslog. Buffered

 Modifiable syslog levels

%PIX-7-111009: User ‘johndoe’ 6—Informational

The problem is we don’t want to log all 1602 other

 Lower syslog message 111009 to level 3 (error)

 Now our syslog looks as follows

 To restore the default syslog level

ASA(config)# logging list CiscoLive message 711001

 Understanding Access Control List Logging

 Identifying Incidents Using Firewall and Cisco IOS