×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Has Anyone Seen This . . .

Unanswered Question
Jul 25th, 2007
User Badges:

On Monday our network was severely degraded. The inside of our firewall was getting hammered by thousands of UDP packets (port number 445) with a source and destination address of 127.0.0.1.


We isolated the router that was forwarding the packets and rebooted it. Unfortunately we did not have enough time to deploy to the remote site and put a sniffer on the network to help us further isolate the originating device. Upon doing so the traffic stopped. However, I?m skeptical that this actually fixed the problem. I suspect that it?s a virus and will return and start flooding my network again. I?m also at a loss as to why the router was even forwarding traffic to the gateway router and eventually on to the firewall as the 127.0.0.1 should never by propagated.


Has anyone ever seen this problem or know what might have caused it. Unfortunately our local Cisco engineer was also at a loss.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 07/25/2007 - 10:10
User Badges:
  • Green, 3000 points or more

This is one of the reasons you filter at the edge facing internet..



access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 deny ip 224.0.0.0 31.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any



Here you find examples of guidelines protection.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml



If this is something that had happened from the inside, after finding out the source system then you would have to block that udp port through an acl at the paramter where is coming from as a temporary measure until you spot/fix that system. Then remove the acl if no longer is a thread.



HTH

Jorge

scbbni Wed, 07/25/2007 - 10:25
User Badges:

Jorge,


Thanks for the response. It was definately coming from inside my network. I've got an access list blocking the 127.0.0.0 network and UDP port 445 on my Internal 7206 router. I'm also logging hits against the ACL. Over the last two days I have not seen any hits.


What I'm confused by is what would cause this? Do you know of an existing virus with similar symptoms?

JORGE RODRIGUEZ Wed, 07/25/2007 - 11:12
User Badges:
  • Green, 3000 points or more

Actually as I recall, I have heard of this from another colleage few years ago in another company, it turned out a client-pc infected with a virus accessing a sql server..


I found the email.. but no link, so here is a thread of the information.. although it indicates tcp but there may be another using udp.. check in Symantec for any info.


////////////////


The CERT/CC is receiving reports of widespread activity related to a

new piece of malicious code known as W32/Blaster. This worm appears to

exploit known vulnerabilities in the Microsoft Remote Procedure Call

(RPC) Interface.


I. Description


The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC

interface as described in VU#568148 and CA-2003-16. Upon successful

execution, the worm attempts to retrieve a copy of the file

msblast.exe from the compromising host. Once this file is retrieved,

the compromised system then runs it and begins scanning for other

vulnerable systems to compromise in the same manner. In the course of

propagation, a TCP session to port 135 is used to execute the attack.

However, access to TCP ports 139 and 445 may also provide attack

vectors and should be considered when applying mitigation strategies.

Microsoft has published information about this vulnerability in

Microsoft Security Bulletin MS03-026.


Lab testing has confirmed that the worm includes the ability to launch

a TCP SYN flood denial-of-service attack against windowsupdate.com. We

are investigating the conditions under which this attack might

manifest itself. Unusual or unexpected traffic to windowsupdate.com

may indicate an infection on your network, so you may wish to monitor

network traffic.


Sites that do not use windowsupdate.com to manage patches may wish to

block outbound traffic to windowsupdate.com. In practice, this may be

difficult to achieve, since windowsupdate.com may not resolve to the

same address every time. Correctly blocking traffic to

windowsupdate.com will require detailed understanding of your network

routing architecture, system management needs, and name resolution

environment. You should not block traffic to windowsupdate.com without

a thorough understanding of your operational needs.


We have been in contact with Microsoft regarding this possibility of

this denial-of-service attack.


II. Impact


A remote attacker could exploit these vulnerabilities to execute

arbitrary code with Local System privileges or to cause a

denial-of-service condition.





Actions

This Discussion