Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
5
Replies

Has Anyone Seen This . . .

scbbni
Level 1
Level 1

‎07-25-2007 06:42 AM - edited ‎03-05-2019 05:29 PM

On Monday our network was severely degraded. The inside of our firewall was getting hammered by thousands of UDP packets (port number 445) with a source and destination address of 127.0.0.1.

We isolated the router that was forwarding the packets and rebooted it. Unfortunately we did not have enough time to deploy to the remote site and put a sniffer on the network to help us further isolate the originating device. Upon doing so the traffic stopped. However, I?m skeptical that this actually fixed the problem. I suspect that it?s a virus and will return and start flooding my network again. I?m also at a loss as to why the router was even forwarding traffic to the gateway router and eventually on to the firewall as the 127.0.0.1 should never by propagated.

Has anyone ever seen this problem or know what might have caused it. Unfortunately our local Cisco engineer was also at a loss.

Labels:
0 Helpful
5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

‎07-25-2007 10:10 AM

This is one of the reasons you filter at the edge facing internet..

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 deny ip 224.0.0.0 31.255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

Here you find examples of guidelines protection.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

If this is something that had happened from the inside, after finding out the source system then you would have to block that udp port through an acl at the paramter where is coming from as a temporary measure until you spot/fix that system. Then remove the acl if no longer is a thread.

HTH

Jorge

Jorge Rodriguez
0 Helpful

scbbni
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-25-2007 10:25 AM

Jorge,

Thanks for the response. It was definately coming from inside my network. I've got an access list blocking the 127.0.0.0 network and UDP port 445 on my Internal 7206 router. I'm also logging hits against the ACL. Over the last two days I have not seen any hits.

What I'm confused by is what would cause this? Do you know of an existing virus with similar symptoms?

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to scbbni

‎07-25-2007 11:12 AM

Actually as I recall, I have heard of this from another colleage few years ago in another company, it turned out a client-pc infected with a virus accessing a sql server..

I found the email.. but no link, so here is a thread of the information.. although it indicates tcp but there may be another using udp.. check in Symantec for any info.

////////////////

The CERT/CC is receiving reports of widespread activity related to a

new piece of malicious code known as W32/Blaster. This worm appears to

exploit known vulnerabilities in the Microsoft Remote Procedure Call

(RPC) Interface.

I. Description

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC

interface as described in VU#568148 and CA-2003-16. Upon successful

execution, the worm attempts to retrieve a copy of the file

msblast.exe from the compromising host. Once this file is retrieved,

the compromised system then runs it and begins scanning for other

vulnerable systems to compromise in the same manner. In the course of

propagation, a TCP session to port 135 is used to execute the attack.

However, access to TCP ports 139 and 445 may also provide attack

vectors and should be considered when applying mitigation strategies.

Microsoft has published information about this vulnerability in

Microsoft Security Bulletin MS03-026.

Lab testing has confirmed that the worm includes the ability to launch

a TCP SYN flood denial-of-service attack against windowsupdate.com. We

are investigating the conditions under which this attack might

manifest itself. Unusual or unexpected traffic to windowsupdate.com

may indicate an infection on your network, so you may wish to monitor

network traffic.

Sites that do not use windowsupdate.com to manage patches may wish to

block outbound traffic to windowsupdate.com. In practice, this may be

difficult to achieve, since windowsupdate.com may not resolve to the

same address every time. Correctly blocking traffic to

windowsupdate.com will require detailed understanding of your network

routing architecture, system management needs, and name resolution

environment. You should not block traffic to windowsupdate.com without

a thorough understanding of your operational needs.

We have been in contact with Microsoft regarding this possibility of

this denial-of-service attack.

II. Impact

A remote attacker could exploit these vulnerabilities to execute

arbitrary code with Local System privileges or to cause a

denial-of-service condition.

Jorge Rodriguez
0 Helpful

bjw
Level 4
Level 4

‎07-25-2007 10:49 AM

Port 445 is a frequent target of bad guys.

See:

http://isc.sans.org/port.html?port=445

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to bjw

‎07-25-2007 11:19 AM

In Bjw's link is all there, good info..

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card