I had a desktop machine on a development/lab segment
infected with SQL Slammer take out a switch. As you
might recall, Slammer created a large volume of small
UDP packets to random destination addresses. Although
the development lab was on it's own VLAN, the traffic
completly overwhelmed the switch. This caused
spanning tree to continually recalcuate the entire
network topology, and switch management was completly
unavailable (except for local access). Needless to
say I didn't have a good day.
There are several things I've learned that can be done
in my opinion to help prevent or reduce the imact of
this type of attack.
First, switch management and administrative traffic
(such as spanning tree) should be on dedicated VLANs.
Use VLAN pruning to keep VLANs off of unnecessary
trunks.
Second, keep broadcast domains small and use switch
functions that supress broadcasts.
Third, monitor network traffic levels and have a good
baseline of what is "normal". New technolgoies such
as NBAD - Network Behavioral Anomaly Detection - can
really help here.
Fourth, apply the concept of least privilege to your
network traffic. Why allow computers to talk to port
445 on your mail server, or computers on different
floors to talk to each other at all?
Fifth, last but not least, mutliple layers of desktop
security (desktop firewall, HIPS, AV, anti-spyware)
and group or local policies can help prevent the
viruses in the first place. I found out the hard way
that unless the development lab is _really_ on a
seperate network, this goes for those machines too.
- Chris
--- Seek Knowledge <aseeker03@yahoo.com> wrote:
Does anyone have any first-hand experience with a
single infected desktop machine (or windows server
for
that matter) taking out a LAN switch? Would anyone
have any stories from the trenches of an infected
machine causing a directly connected router to stop
functioning?
If so, what could be done to prevent such an outage?
What IDS/IPS strategy might one implement to prevent
and or at least detect such an event?
Thanks in advance.
ASeeker
________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
http://mobile.yahoo.com/learn/mail
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
