Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Router/Switches and viruses

from [Steven Williams] Network Security [Permanent Link]
Subject: RE: Router/Switches and viruses
Date: Mon, 9 May 2005 08:46:23 +1000 
I've seen a PSTN connected laptop user infected with blaster drop
numerous Extreme Black Diamond switches. The FDB tables fill up,
processes start running at very high CPU% and packets start getting
dropped across the switch. Eventually the switches become unreachable
and require a manual reboot.

This was due to a poorly implemented remote access policy. Using policy
based access control systems like Cisco's NAC or even restricting
protocol / host access could have prevented this. 

-----Original Message-----
From: Chris Byrd [mailto:cbyrd01@yahoo.com] 
Sent: Friday, May 06, 2005 1:09 PM
To: Seek Knowledge; focus-ids@securityfocus.com
Subject: Re: Router/Switches and viruses


I had a desktop machine on a development/lab segment infected with SQL
Slammer take out a switch.  As you might recall, Slammer created a large
volume of small UDP packets to random destination addresses.  Although
the development lab was on it's own VLAN, the traffic completly
overwhelmed the switch.  This caused spanning tree to continually
recalcuate the entire network topology, and switch management was
completly unavailable (except for local access).  Needless to say I
didn't have a good day.

There are several things I've learned that can be done in my opinion to
help prevent or reduce the imact of this type of attack.  

First, switch management and administrative traffic (such as spanning
tree) should be on dedicated VLANs. 
Use VLAN pruning to keep VLANs off of unnecessary trunks. 

Second, keep broadcast domains small and use switch functions that
supress broadcasts.

Third, monitor network traffic levels and have a good baseline of what
is "normal".  New technolgoies such as NBAD - Network Behavioral Anomaly
Detection - can really help here.

Fourth, apply the concept of least privilege to your network traffic.
Why allow computers to talk to port
445 on your mail server, or computers on different floors to talk to
each other at all?

Fifth, last but not least, mutliple layers of desktop security (desktop
firewall, HIPS, AV, anti-spyware) and group or local policies can help
prevent the viruses in the first place.  I found out the hard way that
unless the development lab is _really_ on a seperate network, this goes
for those machines too.

- Chris

--- Seek Knowledge <aseeker03@yahoo.com> wrote:

Does anyone have any first-hand experience with a single infected 
desktop machine (or windows server for that matter) taking out a LAN 
switch? Would anyone have any stories from the trenches of an infected



machine causing a directly connected router to stop functioning?

If so, what could be done to prevent such an outage?
What IDS/IPS strategy might one implement to prevent and or at least 
detect such an event?

Thanks in advance.
ASeeker



________________________________________________________________________

Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html



------------------------------------------------------------------------
--

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from



CORE IMPACT.
Go to


http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708


to learn more.


------------------------------------------------------------------------
--






                
__________________________________
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



---
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately.  Please also disregard the contents of the email, delete it 
and destroy any copies immediately.
Computershare Limited and its subsidiaries do not accept liability for the 
views expressed in the email or for the consequences of any computer viruses 
that may be transmitted with this email.
This email is also subject to copyright.  No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort & email, Jose Maria Lopez Hernandez
Next by Date:  DIMVA 2005 - Call for Participation - IT-Security Conference in Vienna, 7-8 July, Marc Heuse
Previous by Thread:  Re: Router/Switches and viruses, Chris Byrd
Next by Thread:  RE: Router/Switches and viruses, THolman
Indexes:  [Date] [Thread] [Top] [All Lists]