brksec-2004

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200414344_04_2008_c2 2

Monitoring and Mitigating Threats

BRKSEC-2004


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200414344_04_2008_c2

Overview

Mitigation and Prevention

Monitoring and Identification

IPS Capabilities

Case Studies

Advanced Topics


How Computers and Networks Are Owned

Service vulnerabilities (IIS, Apache, SMB)

Application vulnerabilities (XSS)

Denial of Service Flooding

Spoofed (smurf, syn-flood)

Non-spoofed rate

Packet conformance vulnerabilities

Client side application vulnerabilities

Configuration vulnerabilities (weak passwords, lack of encryption, etc.)

Spoofing Prevention

Packet Conformance

User Education

Application Inspection

IPS Capabilities

Access Control


3


There Is No Silver Bullet

ACLs are most effective when the service is not required and are only effective between boundaries where they are deployed which is usually a Layer 3 interface

IPS only mitigates when it is configured to (which is seldom)

AV detection is not 100% (~85% with samples taken from honeypots)

All new technologies introduce potential vulnerabilities in themselves

Complexity introduces errors Source: Virtual Honeypots


Know Your Enemy: Anatomy of an Attack

Target

12

3

45

Probe

Penetrate

Persist

Propagate

Paralyze

Ping addressesScan portsPassive probingGuess user accountsPhishing and Social Engineering

Mail attachmentsBuffer overflowsActiveX controlsNetwork installsCompressed messagesGuess Backdoors

Create new filesModify existing filesWeaken registry security settingsInstall new servicesRegister trap doors

Mail copy of attackWeb connectionIRCFTPInfect file sharesDelete files

Modify filesDrill security holeCrash computerDenial of serviceSteal secrets


4


Lots of Threads Slow

System

Pick New Addresses

and Spread to New Victim

Execute Script to

Download Code

Buffer Overflow

in IIS

Scan for IIS

Code Red 2001

Lots of Packets Slow

Network

Pick New Addresses


N/A

Buffer Overflow in SQL and MSDE

N/A

Slammer 2003

Delete Registry Keys

and Files, Terminate Processes

Start FTP and TFTP

Services, Look for

Addresses and Spread to

New Victim

Create Executables

and Edit Registry, Download

Code

Buffer Overflow in

Upnp Service

Scan for MS Directory Services

Zotob 2005

Worm Spreads

Look for Addresses

And Spread to New Victim

Execute Payload to Download

Code

Buffer Overflow in

RPC Service

Scan or Endpoint Mapper Query

MS RPC DNS 0day 2007

Worm Spreads

Worm Spreads

Lots of Processes

Slow SystemParalyze

Open Address Book

and Email Copies

Open Address Book

and Email Copies

Look for Addresses


Propagate

Create Executables

and Edit Registry

Create Executables

and Edit Registry

Execute Script to

Download Code

Persist

Arrive as Email

Attachment

Arrive as Email

Attachment

Buffer Overflow in Fingerd

Penetrate

N/AN/AScan for FingerdProbe

MyDoom 2004

Love Bug 2000Morris 1988

Worm/Virus: Exploit Comparison (~20 Yrs)


Defense-in-Depth Strategy (DIDS)

Layering security defenses reduces threat exposure and reduces window of opportunity for miscreants

Apply appropriate controls closest to the victim and miscreant

Any defense mechanism may fail, be bypassed, or defeated

Embrace multiple protection methods that complement each other

8


5


Mitigation and Prevention


Mitigation

Access Control

Spoofing Prevention

Packet Conformance

Application Inspection

Flexible Packet Matching


6


Access Control

Highly effective deterrent to enforced boundary for Layer 3 and Layer 4 traffic

Not effective when services/applications are required by potentially malicious users

Classification ACLs aid in identification

Default deny ingress/egress will prevent a lot

Filter as precisely as possibleSource and destination (Layer 3 and Layer 4)


ACL Cisco IOS vs. Firewall

syn, fin, ack, psh, urg,rst

Keywords 12.3(4)TVerified by DefaultTCP Flags

ttl Keyword 12.4(2)Tttl-evasion-protection

via MPFTTL Filtering

option Keyword 12.3(4)TDrop IP Options by defaultIP Option Filtering

Use of establishedKeywordACLs Have StateState

fragments on ACLs and ipvirtual-reassembly

under interface configuration

Virtual Reassembly using fragment chainIP Fragmentation

Cisco IOSASA, PIX, and FWSMFeature


7


Utilizing Cisco IOS ACL Capabilities !Router(config)#ip access-list extended tACL!!–- Deny loose source routed packets!Router(config-ext-nacl)#deny ip any any option lsr!!–- Deny fragmented packets!Router(config-ext-nacl)#deny ip any any fragments!!–- Deny TCP packets with SYN and FIN flags set!Router(config-ext-nacl)#deny tcp any any match-all +syn +fin!!–- Deny packets with TTL values less than 5!Router(config-ext-nacl)#deny ip any any ttl lt 5!


Layer 2 Access Control !!-- Create ACL default permitip access-list extended VACL-MATCH-ANYpermit ip any any

!!-- Create ACL match portsip access-list extended VACL-MATCH-PORTSpermit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 445permit tcp 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 139

!!-- Create VLAN Access Map for VACL policyvlan access-map VACL 10 match ip address VACL-MATCH-PORTSaction drop

!vlan access-map VACL 20match ip address VACL-MATCH-ANYaction forward

!!-- Apply and enable VACL for usevlan filter VACL vlan 100!!!-- Port ACLip access-list extended <acl-name>permit <protocol> <source-address> <source-port> <destination-address>

<destination-port>!interface <type> <slot/port>switchport mode accessswitchport access vlan <vlan_number>ip access-group <acl-name> in

!

Port ACL

VLAN Access Control List

Permit ACE Rules to Classify Traffic

Set Action to Drop

Apply VACL for Use


8


Modular and Phase-Based ACL Policy

1. Anti-Spoofing

2. Anti-Bogon (Source)

3. Infrastructure Permit

4. Explicit Deny Specific Layer 3

5. Explicit Deny Specific Layer 4

6. Incident Response and Countermeasure

7. Explicit Permit Layer 3 (Good Traffic)

8. Explicit Permit Layer 3 (Good Traffic)

9. Explicit Deny

Rarely Changes

Sometimes Changes

Sometimes Changes

Changes Everyday

Sometimes Changes

Rarely Changes

Rarely Changes

Rarely Changes

Sometimes Changes

Hybrid Permit/Deny


Known, Unknown, and Undesirable Trafficip access-list extended ACCESS-LIST

200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)

210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)

220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)

230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)

240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)

250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)

----- Output Truncated -----

500 deny tcp any any eq 135 !-- MS RPC Endpoint Mapper

510 deny tcp any any eq 139 !-- NetBIOS Session Service

520 deny tcp any any eq 445 !-- Microsoft DS, and Zotob

530 deny udp any any eq 445 !-- SMB vulns

540 deny tcp any any eq 4444 !-- Metasploit Reverse Shell

550 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm

560 deny tcp any any range 6660 6669 !-- IRC traffic

570 deny tcp any any eq 7000 !-- IRC traffic

----- Output Truncated -----

600 deny udp any any eq 1025 !-- MS RPC and LSA exploit traffic

610 deny tcp any any eq 5000 !-- UPnP Buffer Overflow exploit traffic


9


Access Control References

ASA 8.0 Identifying Traffic with Access Listshttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/traffic.html

Transit Access Control Lists: Filtering at Your Edgehttp://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Configuring Network Security with ACLshttp://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swacl.html

Protecting Your Core: Infrastructure Protection Access Control Lists

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml


Spoofing Prevention

Minimize attacks that require spoofingSyn Flood Smurf Attack

Attack trace back simplified Multiple features exist

Access Control Lists (ACLs)Unicast Reverse Path Forwarding (Unicast RPF)TCP Intercept (SYN Cookies) IP Source Guard (IPSG)*DHCP Snooping*

*Detailed information about Layer 2 security is available in BRKSEC-2002


10


Unicast Reverse Path Forwarding

Which Mode to Deploy: Strict or Loose?Strict for symmetrical flows

Loose for asymmetrical flows

Effectively drop packets that lack a verifiable IP source address

Not 100% effective – however, through proper deployment Unicast RPF can protect against most Layer 3 spoofed packets

Tuning for Unicast RPF is provided through ACLs


Strict Mode Unicast RPF

Router(config-if)# ip verify unicast source reachable-via rx(deprecated syntax: ip verify unicast reverse-path)

Sy D data

int 1int 2

int 3

FIBDest PathS int 1Sy int 2Sz null0

x

sourceIP != rx int?

Sy

D data

FIBDest PathSx int 1Sy int 2Sz null0

int 1int 2

int 3

Sx D data Sx D data

sourceIP = rx int?


11


Loose Mode Unicast RPF

Router(config-if)# ip verify unicast source reachable-via any

Sz D data

FIBDest PathSx int 1Sy int 2Sz null0

int 1int 2

int 3 int 1int 2

int 3

FIBDest PathS int 1Sy int 2Sz ???

Sy D data Sy D data

x

Sz

D data

sourceIP = any int? sourceIP != any int?


Enterprise: 192.168.0.0/16

ISP

LAN192.168.1/24

LAN192.168.2/24

LAN192.168.3/24

Block Entering Source = Own Networkaccess-list 101 deny ip 192.168.0.0 0.0. 255.255 anyaccess-list 101 permit ip any any

orip verify unicast source reachable-via rx allow-default

Block Sources That Do Not Belong to Subnetaccess-list 102 permit ip 192.168.X.0 0.0.0.255 anyaccess-list 102 deny ip any any

orip verify unicast source reachable-via rx

Block Leaving Source != Own Networkaccess-list 102 permit ip 192.168.0.0 0.0.255.255 anyaccess-list 102 deny ip any any

orip verify unicast source reachable-via rx

Address Spoofing Prevention in the Enterprise


12


Configuring Spoofing Features !-- Unicast RPF must have CEF enabledip cef!interface <interface>ip verify unicast source reachable-via <mode>

!!--Anti-Spoofing ACLip access-list extended ACL-ANTISPOOF-INdeny ip 10.0.0.0 0.255.255.255 anydeny ip 192.168.0.0 0.0.255.255 any

!interface <interface>ip access-group ACL-ANTISPOOF-IN in

!!--Configuring DHCP Snoopingip dhcp snoopingip dhcp snooping vlan <vlan-range>

!!--IPSG which requires DHCP snoopinginterface <interface-id>ip verify source

!!– Configuring Port Securityinterface <interface>switchportswitchport mode accessswitchport port-securityswitchport port-security mac-address stickyswitchport port-security maximum <number>switchport port-security violation <violation-mode>

!

Layer 3 Spoofing Prevention

Layer 2 Spoofing Prevention


SYN Cookie Packet FlowClient

(Source)SYN

(SrcIP=192.168.1.1;seq=x)

SYN ACK(seq=cookie;ack=x+1)

ACK(seq=x+1;ack=cookie+1)

IP 192.168.1.1Is IP 192.168.1.1 Authenticated? NO

SYN(seq=y)

Is IP 192.168.1.1 Authenticated ? YES

DATAACK

(seq=y+1;ack=z+1)DATA

ACK(seq=y+1;ack=z+1)

SYN ACK(seq=z;ack=y+1)

Generate unique cookie for IP 192.168.1.1

If cookie is valid,authenticate IP 192.168.1.1

DATA

Server(Destination)

Connection Established

IP 192.168.2.2


13


TCP-Intercept !!-- Using Modular Policy Framework (MPF)!-- which is available on ASA and PIXaccess-list management permit tcp any 192.168.131.0 255.255.255.0!class-map connection-limitmatch access-list management!policy-map spoof-protectclass connection-limit!!-- Setting limit to one forces all connections to be validated!set connection embryonic-conn-max 1

!service-policy spoof-protect interface outside!!-- Static NAT, this will map the inside IP address of!-- 192.168.131.10 to the outside IP address 192.0.2.10!-- and will create an embryonic connection limit of 1static (inside,outside) 192.168.222.222 192.168.111.111 tcp 0 1!!–- Static Identify NAT, ie: No Address Translationstatic (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 tcp 0 1!

Using MPF

Static NAT


Spoofing References

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

http://www.cymru.com/Documents/tracking-spoofed.html

http://www.cymru.com/Documents/bogon-dd.html

Understanding Unicast Reverse Path Forwarding


14


Packet Conformance

Fragmentation overwrite, overlap, short, long (teardrop, jolt, evasion)

Nmap passive OS identification scanning

Source routing to evade access control or cause other vulnerabilities

Abnormal TCP flags, values, overwrite

Time-to-live (TTL) abnormalities

Several Attacks Use Fuzzed or Irregular Packet Fields to Identify Hosts or Exploit Vulnerabilities or Evade Detection


Firewall Packet Conformance Virtual Fragmentation Reassembly: reassemble, perform consistency checks (overlap, overwrite, long, short) then forward

fragment chain command

Dropping packets with IP options present

Fuzzy TCP flags

TCP intercept (SYN Cookies)

ttl-evasion-protection in MPF (enabled by default)

TCP-MAP (TCP options, SYN data)

Accelerated Security Path (ASP) checks


15


Firewall ASP Checks Firewall# capture drop type asp-drop ?-------------------- Output Truncated in Several Places --------------------fragment-reassembly-failed Fragment reassembly failedinvalid-ip-header Invalid IP headerinvalid-ip-length Invalid IP lengthinvalid-ip-option IP option dropinvalid-tcp-hdr-length Invalid TCP Lengthinvalid-udp-length Invalid UDP Lengthtcp-3whs-failed TCP failed 3 way handshaketcp-ack-syn-diff TCP ACK in SYNACK invalidtcp-bad-option-len Bad option length in TCPtcp-bad-option-list TCP option list invalidtcp-bad-sack-allow Bad TCP SACK ALLOW optiontcp-bad-winscale Bad TCP window scale valuetcp-data-past-fin TCP data send after FINtcp-discarded-ooo TCP ACK in 3 way handshake invalidtcp-invalid-ack TCP invalid ACKtcp-mss-exceeded TCP data exceeded MSStcp-not-syn First TCP packet not SYNtcp-reserved-set TCP reserved flags settcp-rst-syn-in-win TCP RST/SYN in windowtcp-rstfin-ooo TCP RST/FIN out of ordertcp-seq-past-win TCP packet SEQ past windowtcp-seq-syn-diff TCP SEQ in SYN/SYNACK invalidtcp-syn-data TCP SYN with datatcp-syn-ooo TCP SYN on established conntcp-synack-data TCP SYNACK with datatcp-synack-ooo TCP SYNACK on established conntcp-winscale-no-syn TCP Window scale on non-SYN


Cisco IOS Packet Conformance

ip options drop command

no ip source-route

Some of the checks can be accomplished through ACLs (such as IP options, TCP flags)

Router(config)# ip options drop

% Warning: RSVP and other protocols that use IP Options packets may not function as expected.

Router(config)# no ip source-routeRouter(config)#


16


Cisco IOS Packet Conformance (cont…)

Virtual Fragmentation Reassembly (VFR), 12.3(8)TAsymmetric traffic causes problemsip virtual-reassembly

Troubleshoot and verify VFR operationsdebug ip virtual-reassembly

show ip virtual-reassembly

Syslog: VFR-3-TINY_FRAGMENTS, VFR-3-OVERLAP_FRAGMENT, VFR-4_FRAG_TABLE_OVERFLOW, VFR-4_TOO_MANY_FRAGMENTS

!interface GigabitEthernet0/0ip address <address>ip virtual-reassembly [drop-fragments][max-fragments number] [max-

reassemblies number] [timeout seconds]!


Application Layer Protocol Inspection

Feature on ASA, PIX, and FWSM security devices

Stateful deep packet inspection

Good for protocols that open secondary ports and use embedded IP addresses

Potential DoS vector due to performance implications

User defined policies

Response actions for undesirable traffic

Default inspection policy shown

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global


17



Configuration requires: Class-map: Identifies the traffic that needs a specific type of control; class-maps have specific names which bind them to a policy-map

Policy-map: Describes the actions to be taken on the traffic described in the class-map; policy-maps have specific names which bind them to the service-policy

Service-policy: Describes where the traffic should be intercepted for control; only one service-policy can exist per interface; an additional service-policy called “global-service-policy,” is defined for traffic and general policy application; this policy applies to traffic on all interfaces

*Detailed information about Firewall Design and Deployment is available in BRKSEC-2020



Regex introduced in 7.2 provides ability to filter specific trafficNot available on FWSM

Firewall# show run all | include regex _default_regex _default_gator "Gator"regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"regex _default_shoutcast-tunneling-protocol "1"regex _default_http-tunnel "[/\\]HT_PortLog.aspx"regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"regex _default_gnu-http-tunnel_arg "crap"regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"regex _default_GoToMyPC-tunnel "machinekey"regex _default_windows-media-player-tunnel "NSPlayer"regex _default_yahoo-messenger "YMSG"regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"regex _default_firethru-tunnel_1 "firethru[.]com"


18


DNS Protocol Inspection Example

!Firewall(config)# regex domain1 "yahoo\.com“Firewall(config)# regex domain2 "cnn\.com"!Firewall(config)# class-map type regex match-any dns_filter_classFirewall(config-cmap)# match regex domain1Firewall(config-cmap)# match regex domain2!Firewall(config)# class-map type inspect dns dns_inspect_classFirewall(config-cmap)# match not header-flag QRFirewall(config-cmap)# match questionFirewall(config-cmap)# match domain-name regex class dns_filter_class!Firewall(config-cmap)# policy-map type inspect dns dns_inspect_policyFirewall(config-pmap)# class dns_inspect_classFirewall(config-pmap-c)# drop log!Firewall(config-pmap-c)# class-map inspection_defaultFirewall(config-cmap)# match default-inspection-traffic!Firewall(config-cmap)# policy-map egress_policyFirewall(config-pmap)# class inspection_defaultFirewall(config-pmap-c)# inspect dns dns_inspect_policy!Firewall(config-pmap-c)# service-policy egress_policy interface inside!

Create Regex Match

Create Regex Class Map

Inspection Class Map

Perform Policy Map Action


DNS AppFW Protocol Inspection Example

Firewall(config)# no service-policy egress_policy interface inside

Firewall(config)# service-policy egress_policy interface inside

Disable and then Enable Service Policy which Inspects DNS Queries

[user@linux ~]# dig www.google.com

; <<>> DiG 9.5.0b3 <<>> www.google.com;; global options: f;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION:;www.google.com. IN A

;; ANSWER SECTION:www.google.com. 118837 IN CNAME www.l.google.com.www.l.google.com. 37 IN A 209.85.165.147www.l.google.com. 37 IN A 209.85.165.99www.l.google.com. 37 IN A 209.85.165.103www.l.google.com. 37 IN A 209.85.165.104

[user@linux ~]$[user@linux ~]$ dig www.google.com

; <<>> DiG 9.5.0b3 <<>> www.google.com;; global options: printcmd;; connection timed out; no servers could be reached[user@linux ~]$

DNS Resolver on Endpoints

Successful DNS Resolution

Failed DNS Resolution

DNS Resolution Fails After Service Policy is Enabled


19


Firewall Protocol Inspection References

ASA 8.0 MPF Guidehttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html

Applying Application Layer Protocol Inspectionhttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html


IOS Flexible Packet Matching

Performs stateless deep packet inspection providing more granular control than ACLS

Ability to deploy protection and prevention mechanisms closer to victim and miscreant

Protocol + Port + [String|Regex] Action

Some PHDF already exist to detect certain vulnerabilities or protocols (bittorrent and skype)

L2Header

L3Header

L4Header

Frame

Frame

First… Second… Payload… Payload… Payload…


20


Access Lists on Steroids

Flexible Packet Matching (FPM) performs deep packet inspection for containment and policy enforcement

Match protocol header fields and/or payload context

Layer 2 to 7 – bit/byte matching capability at any offset within the packet

User-defined filtering policies (traffic classifiers)Allows a choice of response actions

Adaptable to dynamically changing attack profilesRapid deployment of filtering policies (can leverage EEM for near realtime response to threats)

Ability to deploy protection and prevention mechanisms closer to victim and miscreant

L2Header

L3Header

L4Header

Frame

Frame

First… Second… Payload… Payload… Payload…


FPM Capability Phasing

YesYesYesYesNoRegex MatchYesYesNoNoNoNested class-mapsYesYesYesYesNoNested Policies

YesNoNoNoNoMatch on Payload TLV Fields

YesYesNoNoNoDynamic Offset (Variable Header Length Support)

YesYesYesYesNoRelative Offset (Fixed Header Length Support)

YesYesYesYesNoRaw OffsetStreamFull Pkt256 Bytes256 Bytes44 BytesDepth of Inspection

UnlimitedUnlimited884No. of Match Criteria/ACEUnlimitedUnlimited32 classes32 classesUnlimitedNo. of ACEs per Interface

Phase 2 + DNS, SNMP, HTTP,

IPv6

Phase 1+ + GRE, IPSecPhase 1

IPv4, TCP, UDP, ICMP,

Ethernet

IPv4, TCP, UDP, ICMPProtocol Support

Full Pkt256 Bytes32 Bytes32 BytesNoMatch String Pattern Window

YesYesYesNoNoString Match

FPMPhase 3

FPM 12.4(15)T

FPMPhase 1+12.4(6)T1

FPMPhase 112.4(4)T

ACLFunctionality


21


FPM Policy for Slammer Packetsload protocol disk0:ip.phdf

load protocol disk0:udp.phdf

!

class-map type stack match-all ip_udp_class

description "match UDP over IP packets"

match field ip protocol eq 17 next udp

!

class-map type access-control match-all slammer_class

description "match on slammer packets"

match field udp dest-port eq 1434

match field ip length eq 404

match start udp payload-start offset 0 size 4 eq 0x04010101





!

policy-map type access-control fpm_udp_policy

description "policy for UDP based attacks"

class slammer_class

drop

log

!

policy-map type access-control fpm_policy

description "drop worms and malicious attacks"

class ip_udp_class

service-policy fpm_udp_policy

!

interface GigabitEthernet 0/1

service-policy type access-control input fpm_policy

Match UDP over IP Packets

Match Slammer Packets:UDP port 1434, Packet

Length 404bytes, and Regex

Policy for UDP-Based Attacks

Drop Worms and Malicious Attacks

Load PHDFs for IP and UDP

Apply and Enable FPM Policy


FPM Performance vs. Equivalent ACLs

Compare FPM to ACL Processor utilization percentTen FPM classes or equivalent ACL Matching on src/dst IP addr, src/dst TCP port, and TCP protocolTen TCP traffic streams, 50% of generated traffic matching7206VXR NPE-400, 128MB, 12.4(4)T

59%59%59%50%42%FPM 5th Match37%37%37%36%30%ACL 1st Match43%43%43%42%38%FPM 1st Match17%16%15%14%13%No Filter

39%

50%

41%

5,000 pps

39%39%39%32%ACL 10th Match50%50%50%42%FPM 10th Match41%40%39%32%ACL 5th Match

4,000 pps3,000 pps2,000 pps1,000 ppsFilter Type


22


FPM References Cisco IOS Flexible Packet Matching (FPM)

http://www.cisco.com/go/fpm

http://www.cisco.com/cgi-bin/tablebuild.pl/fpm

Flexible Packet Matching Deployment Guidehttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd803936f6_ns696_Networking_Solutions_White_Paper.html

Flexible Packet Matching Feature Guidehttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html

Flexible Packet Matching XML Configurationhttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_tcdf.html

Getting Started with Cisco IOS Flexible Packet Matchinghttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_white_paper0900aecd80633b0a.html


Monitoring and Identification


23


Monitoring

Syslog

NetFlow

Embedded Event Manager

CS-MARS


Syslog Router# show logging | include 185Aug 29 2007 15:58:12.181 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55618) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:14.445 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55619) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:16.389 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55620) (GigabitEthernet0/0 0014.5e6a.5ba6) -> 192.168.150.77(1024), 1 packet Aug 29 2007 15:58:24.429 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55621) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:27.373 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55622) -> 192.168.150.77(139), 1 packet Aug 29 2007 15:58:29.661 CDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 192.168.208.63(55623) -> 192.168.150.77(139), 1 packet

Firewall# show logging | grep 5063b82fAug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/389 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/443 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/256 by access-group "OUTSIDE" [0x5063b82f, 0x0]Aug 29 2007 11:14:55: %ASA-4-106023: Deny tcp src outside:192.168.208.63/35746 dst inside:192.168.150.77/399 by access-group "OUTSIDE" [0x5063b82f, 0x0]

Router

Firewall


24


ACL Logging

ACL keyword log for Cisco IOS and Cisco ASA, FWSM and PIX

ACL keyword log-input for Cisco IOS

ip access-list log-update threshold threshold-in-msgs

logging rate-limit message-rate for Cisco IOS

Understanding Access Control List Logginghttp://www.cisco.com/web/about/security/intelligence/acl-logging.html

Identifying Incidents Using Firewall and Cisco IOS Router SyslogEvents

http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html


NetFlow: Scalability

Packet capture is like a wiretap

NetFlow is like a phone bill

This level of granularity allows NetFlow to scale for very large amounts of traffic

We can learn a lot from studying the phone bill!

Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc.

NetFlow is a form of telemetry pushed from the routers/switches – each one can be a sensor


25


What Constitutes a Flow?

1. Inspect a packet’s seven key fields and identify the values

2. If the set of key field values is unique, create a new flow record or cache entry

3. When the flow terminates, export the flow to the collection/analysis system

NetFlowExport

PacketsReporting

NetFlow Key Fields

1

2

3


NetFlow Records and Key Fields

NetFlow maintains per-’conversation’ flow data in Flow Records in a cache on a NetFlow-enabled device, and optionally exports that flow data to a collection/ analysis system

It is a form of network telemetry which describes traffic conversations headed to/passing through a router

Key Fields

Key field values define a Flow Record

An attribute in the packet used to create a Flow Record

If the set of key field values is unique, a new flow is created


26


NetFlow CLI Output Router#show ip cache flowIP packet size distribution (126502449 total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.009 .622 .036 .007 .008 .008 .004 .012 .000 .000 .004 .001 .002 .002 .007

------------------------- Output Truncated -----------------------Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 11403610 2.6 1 49 3.0 0.0 1.5TCP-FTP 6769 0.0 8 53 0.0 6.0 7.7TCP-FTPD 665 0.0 3334 889 0.5 54.0 0.4TCP-WWW 163728 0.0 13 750 0.5 4.2 9.2TCP-SMTP 8 0.0 1 46 0.0 0.0 10.2TCP-X 727 0.0 1 40 0.0 0.0 1.4TCP-BGP 9 0.0 1 45 0.0 0.0 10.5TCP-NNTP 8 0.0 1 46 0.0 0.0 10.0TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7TCP-other 49098543 11.4 2 263 23.7 0.0 1.4UDP-DNS 874082 0.2 1 58 0.2 0.0 15.4UDP-NTP 1127350 0.2 1 76 0.2 0.6 15.5UDP-TFTP 6 0.0 3 63 0.0 11.0 19.5UDP-other 996247 0.2 1 164 0.4 0.3 16.7ICMP 262111 0.0 8 47 0.5 13.4 21.2IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4GRE 694 0.0 1 50 0.0 0.0 15.4IP-other 2 0.0 2 20 0.0 0.1 15.7Total: 64004973 14.9 1 251 29.4 0.1 2.2

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsGi0/0 172.18.109.132 Gi0/1* 192.168.150.60 06 1A29 835D 2 Gi0/0 172.18.109.132 Gi0/1 192.168.150.60 06 1A29 835D 2 Gi0/1 192.168.132.44 Gi0/0* 10.89.245.149 11 007B 007B 1

TCP-Frag 70399 0.0 1 688 0.0 0.0 22.7

IPv6INIP 15 0.0 1 1132 0.0 0.0 15.4


NetFlow Deployment Considerations

NetFlow should typically be enabled on all router interfaces where possible, it is useful for on-box troubleshooting via CLI as well as for export to analysis systems

Ingress and egress NetFlow are now supported. Analysis systems typically must be configured to understand which is in use, for purposes of directionality

1:1 NetFlow is useful for troubleshooting, forensics, traffic analysis, and behavioral/relational anomaly-detection

Sampled NetFlow is useful for traffic analysis and behavioral/ relational anomaly-detection. Sampling is typically used in high-volume traffic situations where 1:1 NetFlow Data Export (NDE) is impractical


27


Embedded Event Manager (EEM) Allows instrumentation of the Cisco IOS device and reactive capabilities that can be useful in improving security

Available since Cisco IOS Software versions 12.0(26)S and 12.3(4)T

Cisco IOS DocumentationEmbedded Event Manager 2.2

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/ht_eem.html

White PaperEmbedded Event Manager in a Security Context

http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html

EEM Scripting Communityhttp://www.cisco.com/go/ciscobeyond

*Detailed information in BRKSEC-3007 Solving Security Challenges with Embedded Event Manager


EEM Example

Interface Input Queue Monitorhttp://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=981

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the IPv4 User Datagram Protocol Delivery Issue for IPv4/IPv6 Dual-Stack Routers

http://www.cisco.com/warp/public/707/cisco-amb-20080326-IPv4IPv6.shtml

Example Syslog Message: %HA_EM-7-LOG: system:/lib/tcl/eem_scripts_registered/interface-input-q.tcl: Interface GigabitEthernet0/0 input queue full. Input queue: 4001/4000 (size/max)


28


CS-MARS Contextual Analysis Overview

Events: Raw messages sent to CS-MARS by reporting devices; examples include syslog, SNMP, NetFlow, and IPS signatures

Sessions: Correlated events

Incidents: Sessions matched against rules that are indicative of malicious behavior

Rules are used to perform logic on events which create sessions and possibly incidents


CS-MARS Rules

Over a specified time range events are correlated to become incidents


29


CS-MARS Rules in Action

Events from same source and destination IP addresses correlated within a timeframe to become an incident


Intrusion Detection and Prevention Capabilities


30


Intrusion Detection and Prevention

Cisco Security Agent

Cisco IPS

CSA/IPS Collaboration


Preventing Endpoint Attacks Using CSA

All attacks perform certain behaviors for success, CSA allows you to defeat these actions using interceptors

0day and targeted attacksMay bypass or defeat other protection mechanisms that are deployed

0day Protection = Ability to stop malicious code without reconfiguration or update

Protects endpoints from being compromised since other protections may have failed

Limited number of “vectors” into a system, one or more of these behaviours must be used by all attacks

Stop the attack at one of these vectors, you prevent the whole attack (several opportunities exist, not just one)

Monitoring and controlling these behaviors prevents malicious activity


31


Preventing Execution

Cisco Security Agent (CSA) provides multiple interceptors for the detection and prevention of threats

Network

File System

Configuration

Execution Space

CSA is best utilized for preventing attacks targeting endpoint compromise

Do not forget about protection methods using your network


Policy Rules Drive Interceptors

Traffic Marking

File Integrity Assurance

Wireless Policy Controls

Host Intrusion Detection

IPS and NAC Integration

Network Worm Prevention

Spyware and Malware Prevention

Distributed Firewall

Execution SpaceConfigurationFile

SystemNetworkSecurity Application


32


Intrusion Protection for the Network

Detect malicious payloads, perform behavioral analysis, anomaly detection, policy adjustments, and rapid threat response

Inline Protection or Promiscuous mode

Automatic Threat Prevention with IPS 6.x denies packets whose Risk Rating Value range is 90 – 100

Multivector protections at all points in the network, desktop, and server endpoints

Integration with Cisco CSA and Cisco Wireless Controller

01111110101010100001110001001111100100010001001000100010010111111010101010000111000100111110010001000100100010001001


Threat Rating

Risk Rating Thresholds Drive MitigationEvent

SeveritySignature

FidelityAttack

RelevancyAsset Value

of Target

How Urgent Is the Threat?

How Prone to False Positive?

Is Attack Relevant to Host Being Attacked?

How Critical Is this Destination Host?+

++

= Risk Rating

Result: Calibrated Risk Rating Enables Scalable Management of Sophisticated Threat Prevention Technologies

Drives Mitigation Policy


33


Threat Rating

85

Attack 1:No Action Configured

Risk Rating = 85Threat Rating = 85 55

Threat Rating

Threat Rating:Dynamic adjustment of event Risk Rating based on success of response actionIf Response Action was applied, then Risk Rating is deprecated (TR < RR)If Response Action was not applied, then Risk Rating remains unchanged (TR = RR)

Benefit:Prioritizes alerts for Operator attentionOperator can focus incident response activities on those threats that have not been mitigated

Post-Policy Evaluation of Incident Urgency

Attack 2:Action ConfiguredAttack MitigatedRisk Rating = 85

Threat Rating = 55


Event Action Overridesips6x# configure terminal

ips6x(config)# service event-action-rules rules0

ips6x(config-eve)# show settings

-----------------------------------------------

overrides (min: 0, max: 15, current: 3)

-----------------------------------------------

<protected entry>

action-to-add: deny-packet-inline <defaulted>

-----------------------------------------------

override-item-status: Enabled <defaulted>

risk-rating-range: 90-100 <defaulted>

-----------------------------------------------

action-to-add: produce-alert

-----------------------------------------------


risk-rating-range: 0-35 default: 0-100

-----------------------------------------------

action-to-add: produce-verbose-alert

-----------------------------------------------


risk-rating-range: 35-90 default: 0-100

-----------------------------------------------

Automatic Threat Prevention (IPS 6.x)

Write evIdsAlert to EventStore

Write evIdsAlert to EventStore with

triggerPacket

Global Overrides for All IPS Events


34


Reactions in Depth

Denied traffic is performed by a device inspecting flowsQuick and effective for all protocols

Shunned traffic is performed by an auxiliary deviceMitigate closer to the miscreant

Potential DoS vector is preventable utilizing never block or event action filters

Some time latency

TCP RST performed for connection-based traffic streams

Limited protocol coverage and adds RST packets to network


IPS/CSA Collaboration Benefits

The IPS can automatically get endpoint posture information to use in calculating the threat rating making detection more accurate

Undisclosed or encrypted exploits not identified by the IPS likely are detected by CSA

CSA-MC can correlate data and create automated watch lists which can be forwarded to the IPS and automatically adjust the threat rating for events seen by addresses that are part of the watch list


35


Automation CSA/IPS CollaborationCSA MC Configuration IPS Configuration


Enhanced contextual analysis of endpoint

Ability to use CSA inputs to influence IPS actions

Correlation of information contained in CSA watch list

Host quarantining

CSA Watch List192.168.1.111

Elevate Risk RatingDeny 192.168.1.111

Management Console

Network IPS and Cisco Security Agent Collaboration

Service Provider


36


Automation CSA/IPS CollaborationevIdsAlert: eventId=1166774738236276775 vendor=Cisco severity=low originator:

hostId: ips6x appName: sensorApp appInstanceId: 388

time: May 17, 2007 8:33:28 PM UTC offset=-300 timeZone=CDT signature: description=TCP SYN Port Sweep id=3002 version=S2

subsigId: 0 marsCategory: Probe/PortSweep/Non-stealth

interfaceGroup: vs0 vlan: 0 participants:

attacker: addr: 192.168.1.111 locality=OUT port: 55852

target: addr: 192.168.2.222 locality=OUT port: 663 port: 33 port: 231 port: 564 port: 838 os: idSource=imported type=windows relevance=relevant

triggerPacket: <trucated>riskRatingValue: 77 targetValueRating=medium attackRelevanceRating=relevant

watchlist=25 threatRatingValue: 77 interface: ge0_0 protocol: tcp

Threat Rating Increased Due to Watch List


Case Study: MS-RPC-DNS (CVE 2007-1748)


37


Microsoft RPC DNS 0-Day (CVE-2007-1748)

Victim

12

3

45

Probe

Penetrate

Persist [Exploit Dependent]

Propagate [Exploit Dependent]

Paralyze

Query RPC Endpoint Mapper on TCP/135 for vulnerable ports or scan TCP/1024-5000Guess user accounts on TCP/139 and 445

Deliver buffer overflow ports TCP/139 TCP/445 UDP/445 TCP 1024-5000

Download and copy malicious code to C:\U.exeCreate back door accessConnect to Command and Control on TCP port 8080 W32/Nirbot.worm!8

3E1220A

Exploit Specific


Mitigating the Vulnerability

ACLs Mitigation to L3 boundary where deployed, VLAN maps, Port ACLs for L2 access control if needed

If application is required ACLs provide no value to those allowed access

IPS Signatures Understand Application/Vulnerability better when application is required or ACLs do not suffice

Provides no mitigation unless directed to do so

Endpoint CSA or Patch Prevents Exploitation


38


Mitigation: Cisco IOS ACL (Modularized)ip access-list extended ACCESS-LIST

200 deny ip 127.0.0.0 0.255.255.255 any !-- Deny Loopback netblock (src)

210 deny ip any 127.0.0.0 0.255.255.255 !-- Deny Loopback netblock (dst)

220 deny ip 192.0.2.0 0.0.0.255 any !-- Deny Test-Net netblock (src)

230 deny ip any 192.0.2.0 0.0.0.255 !-- Deny Test-Net netblock (dst)

240 deny ip 169.254.0.0 0.0.255.255 any !-- Deny Link Local netblock (src)

250 deny ip any 169.254.0.0 0.0.255.255 !-- Deny Link Local netblock (dst)

----- MS RPC 0-day ACEs -----

500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 !-- MS RPC Endpoint Mapper

510 deny tcp any 192.168.100.0 0.0.0.255 eq 139 !-- NetBIOS Session Service

520 deny tcp any 192.168.100.0 0.0.0.255 eq 445 !-- Microsoft DS, and Zotob

530 deny udp any 192.168.100.0 0.0.0.255 eq 445 !-- SMB vulns

540 deny udp any 192.168.100.0 0.0.0.255 eq 1025 !-- MS RPC and LSA exploit traffic,

!-- and RinBot scanning for hosts

!-- that are vulnerable

550 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 !-- MS RPC DNS 0-day scans

560 deny tcp any any eq 4444 !-- Metasploit Reverse Shell

570 deny udp any any eq 1434 !-- MS SQL, Sapphire/Slammer Worm

580 deny tcp any any range 6660 6669 !-- IRC traffic

590 deny tcp any any eq 7000 !-- IRC traffic


Mitigation: FW ACL (Modularized)Firewall# show access-list tACL

access-list tACL line 1 deny ip host 127.0.0.0 any

access-list tACL line 2 deny ip 192.0.2.0 255.255.255.0 any

access-list tACL line 3 deny ip any 192.0.2.0 255.255.255.0

--------- Output Truncated -------

access-list tACL line 10 deny icmp any 192.168.100.0 255.255.255.0 echo


access-list tACL line 19 permit tcp any host 192.168.100.10 eq www

access-list tACL line 20 permit tcp any host 192.168.100.10 eq https


access-list tACL line 35 deny ip any any

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 445

access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 445

access-list tACL line 19 deny udp any 192.168.100.0 255.255.255.0 eq 1025

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000


39


Mitigation: IPS Signature 5858 ips6x#show events alert | include id=5858

------------Output Truncated ----------

signature: description=DNS Server RPC Interface Buffer Overflow id=5858 version=S282

subsigId: 0

sigDetails: DNS Server RPC Interface Buffer Overflow

marsCategory: Penetrate/BufferOverflow/RPC

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=OUT 192.168.6.66

port: 1063

target:

addr: locality=IN 192.168.1.11

port: 1032

os: idSource=learned type=windows-nt-2k-xp relevance=relevant

actions:

deniedPacket: true

riskRatingValue: 85 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 50

interface: ge0_0

protocol: tcp

Signature Description and ID

OS Identification/Relevancy

Risk Rating/Action/Threat Rating


Mitigation: CSA

Security Application Interceptors Prevent Code Execution in Many Cases

Must Be in Protect Mode to Prevent


40


Identification: ACL CountersFirewall# show access-list tACL

-------- Output Truncated ---------

access-list tACL line 19 deny tcp any 192.168.100.0 255.255.255.0 eq 135 (hitcnt=3)

access-list tACL line 20 deny tcp any 192.168.100.0 255.255.255.0 eq netbios-ssn (hitcnt=0)

access-list tACL line 21 deny tcp any 192.168.100.0 255.255.255.0 eq 445 (hitcnt=10)

access-list tACL line 22 deny tcp any 192.168.100.0 255.255.255.0 range 1024 5000 (hitcnt=106)

Router#show access-lists ACCESS-LIST

Extended IP access list ACCESS-LIST

-------- Output Truncated -------------

500 deny tcp any 192.168.100.0 0.0.0.255 eq 135 (4 matches)

510 deny tcp any 192.168.100.0 0.0.0.255 eq 139

520 deny tcp any 192.168.100.0 0.0.0.255 eq 445

530 deny udp any 192.168.100.0 0.0.0.255 eq 445

540 deny tcp any 192.168.100.0 0.0.0.255 range 1024 5000 (96 matches)

Router ACL Counters

Firewall ACL Counters


Identification: Firewall Syslog Events

May 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35565 to 192.168.2.1/1025 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35566 to 192.168.2.1/1026 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35567 to 192.168.2.1/1027 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35568 to 192.168.2.1/1028 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35569 to 192.168.2.1/1029 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35570 to 192.168.2.1/1030 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35571 to 192.168.2.1/1031 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35572 to 192.168.2.1/1032 flags SYN on interface outsideMay 16 2007 15:08:47: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35573 to 192.168.2.1/1033 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35574 to 192.168.2.1/1033 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35575 to 192.168.2.1/1032 flags SYN on interface outsideMay 16 2007 15:08:49: %ASA-2-106001: Inbound TCP connection denied 192.168.208.63/35576 to 192.168.2.1/1031 flags SYN on interface outsided


41


Identification: IPS

Command and Control Bot Access [Persist and Propagate]Non-HTTP Traffic12674/0

SMB Authentication [Probe]SMB Null Login Attempt5577/0

SMB Authentication [Probe]SMB Login Successful with Guest5576/0

Detect SMB Authentication Attempts [Probe]SMB Authorization Failure5606/0

Detect TCP High Port Probe [Probe]TCP High Port Sweep3010/0

Detect VulnerabilityDNS Server RPC Interface Buffer Overflow5858/0-4

Attack PhaseDescriptionSignature ID


The Exploits

W32/Nirbot.worm!83E1220ADownload worm on random HTTP server port

Connect via IRC over port 8080

IRC servers include:

{blocked}.rofflewaffles.us

{blocked}.anti-viral.us

{blocked}.wayne.brady.gonna.have.to.{blocked}.us

Exploits are sort of like chasing your tail, but there are several patterns we can catch (this time) or ways in which these can be mitigated


42


Exploit Specific

Restricting outbound policy to a few good ports (80,443,53,25,21) will prevent IRC over 8080

Web filtering or using a proxy may prevent download of worm over HTTP

ACL for blacklisting IRC C&C servers

DNS blackholing for C&C servers (DNS resolution to 127.0.0.1)

Firewall application inspection on port 8080

Search transit device logs or NetFlow for IRC servers, C&C servers


Exploit Specific: ASA HTTP Inspection

!access-list web-ports extended permit tcp any any eq 80access-list web-ports extended permit tcp any any eq 8080!class-map webportsmatch access-list web-ports

!policy-map type inspect http http-policyparametersprotocol-violation action drop-connection

!policy-map global_policyclass webportsinspect http http-policy

!service-policy global_policy global!


43


References

Microsoft Security Advisory (935964), Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/935964.mspx

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

http://www.cisco.com/warp/public/707/cisco-amb-20070413-ms-rpc-dns.shtml

Nirbot’s Latest Move: MS DNS Exploits [Arbor]http://asert.arbornetworks.com/2007/04/nirbots-latest-move-ms-dns-exploits/


References (cont…)

W32.Rinbot.BC [Symantec]http://www.symantec.com/security_response/writeup.jsp?docid=2007-041701-3720-99&tabid=2

New Rinbot Scanning for Port 1025 DNS/RPC [SANS]http://www.isc.sans.org/diary.html?storyid=2643

W32/Delbot-AI [Sophos]http://www.sophos.com/security/analyses/viruses-and-spyware/w32delbotai.html

W32/Nirbot.worm!83E1220A [McAfee]http://vil.nai.com/vil/content/v_142025.htm


44


Case Study 2: MS08-001


Vulnerabilities

Windows Kernel TCP/IP IGMPv3 and MLDv2 Vulnerability –CVE-2007-0069

Remote Code Execution or Denial of Service utilizing crafted packets over IGMPv3/IPv4 (Windows XP, Windows Vista, Windows Server 2003) or MLDv2/IPv6 (Windows Vista)

Windows Kernel TCP/IP ICMP Vulnerability – CVE-2007-0066

Denial of Service utilizing fragmented ICMP router advertisementpacket

Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)

http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx


45


IGMPv3/MLDv2

RFCs IGMPv3/RFC 3376, IGMPv2/ RFC 2236, IGMPv1/RFC 1112, MLDv2/RFC 3810, MLDv1/RFC 2710

Both protocols provide essentially the same multicast functionality

Not much information in the initial advisory however a miscreant could potentially get in the ballpark by looking at what features have been added between protocol versions

Routers will not forward multicast unless configured to do soWill forward LSRR and SSRR packets unless disabled

A working exploit could potentially own or DoS all hosts that are part of a multicast group on a local network

Encapsulation or social engineering could be used to traverse Layer 3 boundaries


ICMP Type 9 RFC 1256

A host never sends Type 9 messages (if obeying the RFC)

Valid destination addresses are 224.0.0.1 224.0.0.2 and 255.255.255.255

Therefore this is all link local, Layer 3 controls provide little benefit except in possible corner cases; preventing hosts from sending ICMP Type 9 messages at Layer 2 will mitigate the vulnerability

Since the vulnerability requires fragmentation, preventing fragmentation is an effective mitigation.

A miscreant could potentially encapsulate this message in something else such as loose source route to make the message appear as if it were from a router and to be able to perform the exploit form non local networks


46


Mitigating the Vulnerability

Cisco IOS ACL’s fragmentation filtering, protocol filtering, options filteringLayer 2 preferred Features such as no ip source route, ip options drop

IPS Signatures 6224/0, 6755/0, and 2150/0 - Fragmented ICMP traffic (2150/0 is available via ip audit in ASA, FWSM, and PIX)Provides no mitigation unless directed to do so

ASA/FWSM/PIXDefault handling of IP options, drop packets with options presentfragment chain command

Endpoint Patch or Host Firewall


Mitigation: Cisco IOS Features and ACLs

Router(config)#no ip source-route

Router(config)#ip options drop

% Warning: RSVP and other protocols that use IP Options packets

may not function as expected.

----------

Router(config)#ip access-list extended tACL

Router(config-ext-nacl)#deny ip any any fragments

Router(config-ext-nacl)#deny icmp any any router-solicitation

Router(config-ext-nacl)#deny ip any any option lsr

Router(config-ext-nacl)#deny ip any any option ssr


47


Mitigation: Cisco IOS VACL!-- Create ACLs that match traffic. Action will be applied

!-- in VLAN map section.

!

ip access-list extended match-igmp-router

permit igmp host 192.168.100.1 any

!

ip access-list extended match-icmp-router

permit icmp host 192.168.100.1 any router-advertisement

!

ip access-list extended match-igmp-subnet

permit igmp 192.168.100.0 0.0.0.255 any

!

ip access-list extended match-icmp-subnet

permit icmp 192.168.100.0 0.0.0.255 any router-advertisement

!

ip access-list extended match-all-subnet

permit ip any any

!


Mitigation: Cisco IOS VACL (cont…)

vlan access-map ms08-001 10

match ip address match-igmp-router

action forward


match ip address match-icmp-router

action forward


match ip address match-igmp-subnet

action drop


match ip address match-icmp-subnet

action drop


match ip address match-all-subnet

action forward

!

!-- Apply to VLAN 100

vlan filter ms08-001 vlan-list 100

Permit Router Interface to Send ICMP Anywhere

Permit Router to Send IGMP Anywhere

Drop IGMP for Rest of Subnet

Drop ICMP Type 9

Permit All Other Traffic

Apply to VLAN 100


48


Mitigation: ASA, FWSM, and PIX

!-- Fragment chain command can be used to prevent fragments from traversing

!-- through the firewall or specific interfaces

Firewall(config)#fragment chain 1 [interface_name]

!-- Cisco PIX security appliances, Cisco ASA adaptive security appliances, and

!-- (FWSMs) will, by default, drop all source-routed packets received on any

!-- interface and create an informational-level (severity 6) syslog message

106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Loose Src Routing"

106012: Deny IP from 192.168.100.5 to 192.168.60.5, IP options: "Strict Src Routing"

Effectively Denies All Fragments


Additional Mitigation and Monitoring

Layer 2 spoofing features such as IPSG and DHCP Snooping or Port Security

Check device configuration for allowing multicast


49


MS08-001 References

Microsoft Security Bulletin MS08-001: Critical Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)

http://www.microsoft.com/technet/security/bulletin/MS08-001.mspx

MS08-001 (part 2) – The case of the Moderate ICMP mitigationshttp://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-2-the-case-of-the-moderate-icmp-mitigations.aspx

MS08-001 (part 3) – The case of the IGMP network criticalhttp://blogs.technet.com/swi/archive/2008/01/08/ms08-001-part-3-the-case-of-the-igmp-network-critical.aspx

MS08-001 - The case of the Moderate, Important, and Critical network vulnerabilities

http://blogs.technet.com/swi/archive/2008/01/08/ms08-001-the-case-of-the-moderate-important-and-critical-network-vulnerabilities.aspx

MS08-001 - The case of the missing Windows Server 2003 attack vectorhttp://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-case-of-the-missing-Windows-Server-2003-attack-vector.aspx


MS08-001 References (cont…)

Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for January 2008

http://tools.cisco.com/security/center/viewAlert.x?alertId=14898

Cisco IntelliShield Vulnerability Alert ID 14854: Microsoft Windows Kernel IGMP and MLD Code Execution Vulnerability


Cisco IntelliShield Vulnerability Alert ID 14853: Microsoft Windows Kernel ICMP Router Discovery Protocol Denial of Service Vulnerability


Exploit for MS08-001 Demonstratedhttp://blogs.pcmag.com/securitywatch/2008/01/exploit_for_ms08001_demonstrat.php


50


Case Study 3: Storm Class Malware, CME711


Storm Malware, CME711

Victim

12

3

45

Probe [Exploit Dependent]

Penetrate [Exploit Dependent]

Persist [Exploit Dependent]

Propagate [Exploit Dependent]

Paralyze

Spam and Social Engineering convince user to download executable

Download malicious software to end host

Download software Join P2P network Open up UDP port on local host above 1024

Spam DDosUpdate

Exploit Specific


51


Malware in Action: CME711

1. BotHerder updates malcode on webtrap

2. Initiate new spam pointing to webtrap

3. User reads the spam and clicks link

4. User machine infected

BotHerder

Infected

1

2

3

4

Infected Webserver


Mitigating CME711

1. Break initial exploitation vector

2. Break infection vector

3. Break joining botnet

1

2

3

BotHerderInfected Webserver


52


Breaking the BotInitial Vector through Spam Message

User Education and Spam Filtering

Host downloads malware from webserverMitigate Vulnerabilities on host (Patch and Best Practices)Use AV or HIPS to prevent exploitationWeb content filter DNS blackholing

Host opens UDP port above 1024 and communicated with P2P network UDP 1024:65535 UDP 1024:65535

ACLs/FPM DNSSyslog analysis and NetFlow


Mitigation: ACLs

!-- Router

Router(config)#ip access-list extended tACL

!-- Deny UDP packets in Range 1024 - 65535

Router(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 range 1024 65535 any range 1024 65535

!-- Firewall Configuration

Firewall(config)# access-list storm-udp extended deny udp192.169.2.0 255.255.255.0 range 1024 65535 any range 1024 65535

Router

Firewall


53


What About FPM?

The P2P traffic is encrypted with a simple key, works and is functional could changeSnort signatures from http://doc.emergingthreats.net/2007701

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:3;)alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a6 d4 c3|"; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”; dsize:25; content:”|10 a0d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)

Source: EmergingThreats.net


Mitigation: FPM for Encrypted Stormload protocol disk0:ip.phdf

load protocol disk0:udp.phdf

!

class-map type stack match-all ip_udp_class

description “match UDP over IP packets”

match field ip protocol eq 17 next udp

!

class-map type access-control match-all encrypted_storm

description “match encrypted storm, cme711 packets”

match field udp dest-port range 1024 65535

match field udp length eq 33

match start udp payload-start offset 0 size 2 eq 0x10a6

!

policy-map type access-control fpm_udp_policy

class encrypted_storm

drop

log

!

policy-map type access-control fpm_policy

class ip_udp_class

service-policy fpm_udp_policy

!

interface GigabitEthernet 0/1

service-policy type access-control input fpm_policy

Match UDP over IP Packets

Policy for UDP-Based Attacks

Drop Worms and Malicious Attacks

Load PHDFs for IP and UDP

Match Storm, CME711 Packets: UDP port

1024:65535, UDP+PayloadLength 33bytes, and Regex

Apply and Enable FPM Policy


54


Mitigation: Deny Downloader via HTTP Inspectionregex exe_url ".*\.[Ee][Xx][Ee]"

! --Create Regex Class Map

class-map type regex match-any bad_urls

match regex exe_url

class-map type inspect http match-any http-urls

match request uri regex class bad_urls

class-map http-port

match port tcp eq www

!-- Create Policy Map, actions set to Drop and Log

policy-map type inspect http http-policy

parameters

protocol-violation action drop-connection

class http-urls

drop-connection log

!-- Apply and enabled “EXE Downloader” policy

policy-map global_policy

class http-port

inspect http http-policy

service-policy global_policy global


Mitigation: Deny Botnet Access via DNS Inspectionregex bad_domain1 “tibeam\.com“regex bad_domain2 “tushove\.com“regex bad_domain3 “kqfloat\.com“!class-map type regex match-any bad_domainsmatch regex domain1match regex domain2match regex domain3!class-map type inspect dns bad_domain_querymatch not header-flag QRmatch questionmatch domain-name regex class bad_domains!policy-map type inspect dns bad_domain_policyclass bad_domain_querydrop log!class-map inspection_defaultmatch default-inspection-traffic!policy-map egress_policyclass inspection_defaultinspect dns bad_domain_policy!service-policy egress_policy interface inside!

Domains from http://www.disog.org/text/storm-fastflux.txt


55


Identification

NetFlow or Syslog communication UDP 1024:65535 –UDP 1024:65535

NetFlow changes in behaviour during spamming or DDos

IPS signatures 5894/0 and 5894/1

ACL Counters


Storm Worm References

Storm Worm DDoS Attackhttp://www.secureworks.com/research/threats/view.html?threat=storm-worm

Storm (Worm) Peacomm Analysis http://www.cyber-ta.org/pubs/StormWorm/report/

Schneier on Securityhttp://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

April Storm’s Day Campaign http://asert.arbornetworks.com/2008/03/april-storms-day-campaign/

Antirootkit.com blog http://www.antirootkit.com/blog/category/storm-worm/

The Evolution of Peacomm to "all-in-one" Trojanhttp://www.symantec.com/enterprise/security_response/weblog/2007/04/the_evolution_of_peacomm_to_al.html

Known Storm Fast Flux Domains http://www.disog.org/text/storm-fastflux.txt


56


Advanced Topics


Test Yourself

Metasploit is an exploitation framework that provides lot of flexibility to test yourself – it’s very easy to test client and service exploits; more information is at www.metasploit.com

Scapy is a powerful packet manipulation program – requires some python knowledge but is useful for creating specific types of network traffic; more information is at http://www.secdev.org/projects/scapy/

>>> x = fragment(IP(dst="192.168.15.60")/ICMP()/("abc"*1200),fragsize=1200)>>> x[1].frag=145>>> send(x)

17:52:13.113797 IP (tos 0x0, ttl 64, id 1, offset 0, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: ICMP echo request, id 0, seq 0, length 120017:52:13.119594 IP (tos 0x0, ttl 64, id 1, offset 1160, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp17:52:13.125617 IP (tos 0x0, ttl 64, id 1, offset 2400, flags [+], proto ICMP (1), length 1220) 192.168.2.63 > 192.168.15.60: icmp17:52:13.131597 IP (tos 0x0, ttl 64, id 1, offset 3600, flags [none], proto ICMP (1), length 28) 192.168.2.63 > 192.168.15.60: icmp

Changed the Fragment Offset


57


Security = Moving Target

Metasploit ShikataGaNai encoder makes creating exploits using polymorphic shell code very simple; this means that simple string matches such as “0x90/0x90/0x90” are trivial to avoid

Metasploit meterpreter allows for relatively simple dll injection and command execution that is difficult to detect (leaves no new processes, files or network connections) on the compromised system

XT Bot utilized Dynamic Remote Settings Stub (DRSS) to hide communications; think a bot that uses stegonagraphy for communication

Fast Flux DNS for Botnet networks makes Botnet difficult to neutralize


Deceptive Defense

Darknets and illegal IP space (dark space) monitoring provides ability to more easily identify outbreaks and aid in detecting probing that may fall under the normal radar

Honeypots low interaction: Deployed inside the network these help quickly identify compromised systems and miscreants; real world studies have shown a ratio of 1/1000 IP space is effective

Honeytokens: A purposefully set piece of information that should only be accessed by illegal activity

Source: Virtual Honeypots, pg. 308114


58


Deceptive Defense Benefits

Low False Positive rateAttack already passes several characteristics of valid attacks such as illegal IP space, non-production hosts

Aid in 0-day detectionEasily identifies internal outbreaks Scalable, Nepenthes scales well, Honeyd can create large virtual networks

115


Utilizing Low Interaction Honeypots to Increase Network Security?

IPS can be configured to perform an event action override when a pre-determined threshold has been met; these actions could be block address or deny attacker inline which can happen for a specified time frame

The IPS target value rating (TVR) can be used to increase the risk rating for events which happen targeting a specific host or subset of hosts

A low interaction Honeypot such as Nepenthes (http://nepenthes.mwcollect.org/) could be deployed in conjunction with an artificially inflated TVR to trigger event actions such as deny attacker inline to remove threats before they attack real systems


59


Deceptive Defense in Action

IPS Sensor

Hosts Internet

Attacker

10.10.10.100

Low Interaction Honey Pot

192.168.100.10


Deceptive Defense Mitigating the Attack

Signature 3338/1 Windows LSASS RPC Overflow Base Risk Rating 75 (Severity = High, Fidelity = 75)Risk Rating = (ASR*TVR*SFR)/10000 + ARR – PD + WLR

Calculated for a Target Value Rating Set to HighASR(100) *TVR(150) * SFR(75)/10000 + ARR – PD + WLR = 100

Event Action Override 90–100 (Deny Attacker Inline/Request Block Host)

IPS Sensor

Hosts Internet

Attacker

10.10.10.100

Low Interaction Honey Pot

192.168.100.10

Attacker Blocked


60


Deceptive Defense Caveats

Make sure host can not be used to launch attacks (block outgoing access from host)

Use common sense, the Honeynet project, http://www.honeynet.org/, has several research papers and presentations available

119


Black Hole Filtering – Destination Based

Forwards packet to the bit bucket aka “Null0”

Only works on destination addresses

Destination based RTBH takes the destination offlineSelf-DoS yourself, miscreant wins

Good reactive mechanism for compromised endpoints

Traditionally used to “black hole” undesirable traffic

Foundation for other remote triggered response


61


Black Hole Filtering – Source Based

Dropping on destination is very importantDropping on source is often what we really want

Requires Unicast RPF

Reacting using source address provides some interesting options

Stop the attack without taking the destination offline

Filter command and control servers

Filter (contain) infected end stations

Must be rapid and scalableLeverage pervasive BGP again


Black Hole Filtering – Source Based

Advantages for using source-based filteringNo ACL UpdateNo change to device configurationDrops happen in the forwarding pathFrequently changes when attack profiles are dynamic

Weaknesses when using source-based filteringSource detection and enumerationAttack termination detection (reporting)Will drop all packets with source and destination on all triggered interfaces, regardless of actual intentRemember spoofing, don’t let the miscreant spoof the true source-based target and trick you into black holing themWhitelist important sites that should never be blocked


62


Sinkhole Routers/Networks

Sinkholes are a topological security feature – think network honeypotRouter or workstation built to suck in traffic and assist in analyzing attacks (original use)Redirect attacks away from the victim – a working the attack on a router built to withstand the attackUsed to monitor attack noise, scans, data from misconfiguration and other activity (via the advertisement of default or illegal IP space)Traffic is typically diverted via BGP route advertisements and policiesLeverage instrumentation in a controlled environment

Pull the traffic past analyzers/analysis tools


Adaptive Control Technology

Threat Mitigation Service (TMS) is a framework for rapid network-wide distribution and response to threats

Near real time threat response

Threat Information Distribution Protocol (TIDP) transports messages containing abstract information about threats and suggested remedial actions

Threat Information Message (TIM)

Devices are provisioned with policies for enforcement of traffic and response actions

Access Control List

Traffic Redirection

Next Generation Rapid Threat Containment and Response


63


Threat Information Distribution Protocol

TIM is distributed from TIDP Mitigation Service (TMS) controller to TIDP consumers

Threat Information Message identifies threat

TIM created in threat definition file using XML

Messages authenticated, encrypted, and have replay protection

Receiving devices configured with unique policiesDevice uses local policy to convert TIMs into dynamic policy enforcement


Threat Containment Using ACT

TIDP is a protocol that allows for the quick distribution of information about network-based threatsAll TIDP-enabled nodes use the payload content according to their own configuration and translate it to enforce appropriate actions

Threat Information Distribution

Protocol

NMS/Syslog Server for Logging

TIM Generation

via CLI / SDM

TIDP Controller

Rules Engine Local to

Each Device

Intelligence Resides in End Point Devices

TIM *

TIM *

* TIM – Threat Information Message


64


Automated Signature Extraction (ASE/DASE)

Dynamically extracts signatures for potential malware without need for human intervention

Utilizes a Sensor Collector architecture

Linux-based Collector and TIDP (TMS) for message exchange

Available in 12.4(15)T

Automatic Signature Extractionhttp://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/htautosg.html


Complementary Sessions

BRKSEC-2001: Emerging Threats

BRKSEC-2006: Inside the Perimeter: Six Steps to Improving Your Security Monitoring

BRKSEC-2002: Understanding and Preventing Layer 2 Attacks

BRKSEC-2020: Firewall Design and Deployment

BRKSEC-2030: Deploying Network-Based Intrusion Prevention Systems


65


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press®

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


66


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes; winners announced daily

Receive 20 Passport points for each session evaluation you complete

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
