IDS mailing list archives
RE: Router/Switches and viruses
From: "Steven Williams" <Steven.Williams () computershare com au>
Date: Mon, 9 May 2005 08:46:23 +1000
I've seen a PSTN connected laptop user infected with blaster drop numerous Extreme Black Diamond switches. The FDB tables fill up, processes start running at very high CPU% and packets start getting dropped across the switch. Eventually the switches become unreachable and require a manual reboot. This was due to a poorly implemented remote access policy. Using policy based access control systems like Cisco's NAC or even restricting protocol / host access could have prevented this. -----Original Message----- From: Chris Byrd [mailto:cbyrd01 () yahoo com] Sent: Friday, May 06, 2005 1:09 PM To: Seek Knowledge; focus-ids () securityfocus com Subject: Re: Router/Switches and viruses I had a desktop machine on a development/lab segment infected with SQL Slammer take out a switch. As you might recall, Slammer created a large volume of small UDP packets to random destination addresses. Although the development lab was on it's own VLAN, the traffic completly overwhelmed the switch. This caused spanning tree to continually recalcuate the entire network topology, and switch management was completly unavailable (except for local access). Needless to say I didn't have a good day. There are several things I've learned that can be done in my opinion to help prevent or reduce the imact of this type of attack. First, switch management and administrative traffic (such as spanning tree) should be on dedicated VLANs. Use VLAN pruning to keep VLANs off of unnecessary trunks. Second, keep broadcast domains small and use switch functions that supress broadcasts. Third, monitor network traffic levels and have a good baseline of what is "normal". New technolgoies such as NBAD - Network Behavioral Anomaly Detection - can really help here. Fourth, apply the concept of least privilege to your network traffic. Why allow computers to talk to port 445 on your mail server, or computers on different floors to talk to each other at all? Fifth, last but not least, mutliple layers of desktop security (desktop firewall, HIPS, AV, anti-spyware) and group or local policies can help prevent the viruses in the first place. I found out the hard way that unless the development lab is _really_ on a seperate network, this goes for those machines too. - Chris --- Seek Knowledge <aseeker03 () yahoo com> wrote:
Does anyone have any first-hand experience with a single infected desktop machine (or windows server for that matter) taking out a LAN switch? Would anyone have any stories from the trenches of an infected
machine causing a directly connected router to stop functioning? If so, what could be done to prevent such an outage? What IDS/IPS strategy might one implement to prevent and or at least detect such an event? Thanks in advance. ASeeker
________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
------------------------------------------------------------------------ --
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------ --
__________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- --- This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged. If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately. Computershare Limited and its subsidiaries do not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email. This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Router/Switches and viruses Seek Knowledge (May 04)
- Re: Router/Switches and viruses Per Engelbrecht (May 06)
- Re: Router/Switches and viruses Derek Nash (May 06)
- Re: Router/Switches and viruses Robert Holtz (May 06)
- Re: Router/Switches and viruses Kevin (May 06)
- Re: Router/Switches and viruses Jason Haar (May 06)
- RE: Router/Switches and viruses Wolfpaw - Dale Corse (May 09)
- <Possible follow-ups>
- Re: Router/Switches and viruses Chris Byrd (May 06)
- RE: Router/Switches and viruses Steven Williams (May 09)
- RE: Router/Switches and viruses THolman (May 19)