07-25-2007 06:42 AM - edited 03-05-2019 05:29 PM
On Monday our network was severely degraded. The inside of our firewall was getting hammered by thousands of UDP packets (port number 445) with a source and destination address of 127.0.0.1.
We isolated the router that was forwarding the packets and rebooted it. Unfortunately we did not have enough time to deploy to the remote site and put a sniffer on the network to help us further isolate the originating device. Upon doing so the traffic stopped. However, I?m skeptical that this actually fixed the problem. I suspect that it?s a virus and will return and start flooding my network again. I?m also at a loss as to why the router was even forwarding traffic to the gateway router and eventually on to the firewall as the 127.0.0.1 should never by propagated.
Has anyone ever seen this problem or know what might have caused it. Unfortunately our local Cisco engineer was also at a loss.
07-25-2007 10:10 AM
This is one of the reasons you filter at the edge facing internet..
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
access-list 110 deny ip host 255.255.255.255 any
Here you find examples of guidelines protection.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
If this is something that had happened from the inside, after finding out the source system then you would have to block that udp port through an acl at the paramter where is coming from as a temporary measure until you spot/fix that system. Then remove the acl if no longer is a thread.
HTH
Jorge
07-25-2007 10:25 AM
Jorge,
Thanks for the response. It was definately coming from inside my network. I've got an access list blocking the 127.0.0.0 network and UDP port 445 on my Internal 7206 router. I'm also logging hits against the ACL. Over the last two days I have not seen any hits.
What I'm confused by is what would cause this? Do you know of an existing virus with similar symptoms?
07-25-2007 11:12 AM
Actually as I recall, I have heard of this from another colleage few years ago in another company, it turned out a client-pc infected with a virus accessing a sql server..
I found the email.. but no link, so here is a thread of the information.. although it indicates tcp but there may be another using udp.. check in Symantec for any info.
////////////////
The CERT/CC is receiving reports of widespread activity related to a
new piece of malicious code known as W32/Blaster. This worm appears to
exploit known vulnerabilities in the Microsoft Remote Procedure Call
(RPC) Interface.
I. Description
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
interface as described in VU#568148 and CA-2003-16. Upon successful
execution, the worm attempts to retrieve a copy of the file
msblast.exe from the compromising host. Once this file is retrieved,
the compromised system then runs it and begins scanning for other
vulnerable systems to compromise in the same manner. In the course of
propagation, a TCP session to port 135 is used to execute the attack.
However, access to TCP ports 139 and 445 may also provide attack
vectors and should be considered when applying mitigation strategies.
Microsoft has published information about this vulnerability in
Microsoft Security Bulletin MS03-026.
Lab testing has confirmed that the worm includes the ability to launch
a TCP SYN flood denial-of-service attack against windowsupdate.com. We
are investigating the conditions under which this attack might
manifest itself. Unusual or unexpected traffic to windowsupdate.com
may indicate an infection on your network, so you may wish to monitor
network traffic.
Sites that do not use windowsupdate.com to manage patches may wish to
block outbound traffic to windowsupdate.com. In practice, this may be
difficult to achieve, since windowsupdate.com may not resolve to the
same address every time. Correctly blocking traffic to
windowsupdate.com will require detailed understanding of your network
routing architecture, system management needs, and name resolution
environment. You should not block traffic to windowsupdate.com without
a thorough understanding of your operational needs.
We have been in contact with Microsoft regarding this possibility of
this denial-of-service attack.
II. Impact
A remote attacker could exploit these vulnerabilities to execute
arbitrary code with Local System privileges or to cause a
denial-of-service condition.
07-25-2007 10:49 AM
07-25-2007 11:19 AM
In Bjw's link is all there, good info..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: