RE: Router/Switches and viruses

["Steven Williams" <Steven.Williams () computershare com au>]

I've seen a PSTN connected laptop user infected with blaster drop
numerous Extreme Black Diamond switches. The FDB tables fill up,
processes start running at very high CPU% and packets start getting
dropped across the switch. Eventually the switches become unreachable
and require a manual reboot.

This was due to a poorly implemented remote access policy. Using policy
based access control systems like Cisco's NAC or even restricting
protocol / host access could have prevented this. 

-----Original Message-----
From: Chris Byrd [mailto:cbyrd01 () yahoo com] 
Sent: Friday, May 06, 2005 1:09 PM
To: Seek Knowledge; focus-ids () securityfocus com
Subject: Re: Router/Switches and viruses


I had a desktop machine on a development/lab segment infected with SQL
Slammer take out a switch.  As you might recall, Slammer created a large
volume of small UDP packets to random destination addresses.  Although
the development lab was on it's own VLAN, the traffic completly
overwhelmed the switch.  This caused spanning tree to continually
recalcuate the entire network topology, and switch management was
completly unavailable (except for local access).  Needless to say I
didn't have a good day.

There are several things I've learned that can be done in my opinion to
help prevent or reduce the imact of this type of attack.  

First, switch management and administrative traffic (such as spanning
tree) should be on dedicated VLANs. 
Use VLAN pruning to keep VLANs off of unnecessary trunks. 

Second, keep broadcast domains small and use switch functions that
supress broadcasts.

Third, monitor network traffic levels and have a good baseline of what
is "normal".  New technolgoies such as NBAD - Network Behavioral Anomaly
Detection - can really help here.

Fourth, apply the concept of least privilege to your network traffic.
Why allow computers to talk to port
445 on your mail server, or computers on different floors to talk to
each other at all?

Fifth, last but not least, mutliple layers of desktop security (desktop
firewall, HIPS, AV, anti-spyware) and group or local policies can help
prevent the viruses in the first place.  I found out the hard way that
unless the development lab is _really_ on a seperate network, this goes
for those machines too.

- Chris

--- Seek Knowledge <aseeker03 () yahoo com> wrote:
> Does anyone have any first-hand experience with a single infected 
> desktop machine (or windows server for that matter) taking out a LAN 
> switch? Would anyone have any stories from the trenches of an infected

> machine causing a directly connected router to stop functioning?
>
> If so, what could be done to prevent such an outage?
> What IDS/IPS strategy might one implement to prevent and or at least 
> detect such an event?
>
> Thanks in advance.
> ASeeker
________________________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
------------------------------------------------------------------------
--
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
--
>


                
__________________________________
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



---
This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain 
information that is confidential and privileged.  If you receive this email in error, please advise us by return email 
immediately.  Please also disregard the contents of the email, delete it and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the 
consequences of any computer viruses that may be transmitted with this email.
This email is also subject to copyright.  No part of it should be reproduced, adapted or transmitted without the 
written consent of the copyright owner.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------