IDS mailing list archives

RE: Router/Switches and viruses

From: THolman () toplayer com
Date: Thu, 19 May 2005 20:11:28 -0400

Hi Aseeker,

I've worked with several worm breakouts and multiple DDOS attacks over the
past year.  Switches are generally not a problem (although bear in mind some
low end switches will have problems with volume), but ROUTERS are.
Most of the time, a low-end router will need to have ACLs disabled in order
to stay up.  A router is designed to forward traffic, rather than process
the traffic according to an ACL, and then forward it.  ACLs take up a lot of
resource.  If you then pass multiple-source volumes of traffic through such
a router, you will kill it.
I have seen a single desktop machine take out a switch though, but only as
it was a source of a broadcast storm, and was plugged twice into the same
switch...
To prevent such an outage, make sure your L2 and L3 infrastructure can
handle the maximum packets per second that each device can throw at it...
If you run out of capacity, turn to Foundry or Extreme.
To mitigate the affects of such a 'rogue' PC, ensure you have things like
STP enable to cut out loops, and also segregate PCs into disparate LANs, and
place an IPS in between to mitigate/stop the propagation of zero-day
worms/viruses.

From what you've said, it is more network design that is your potential

problem.  A NIDS and Sniffer will help you out in the long run as means of
forensics, but only an IPS will PROTECT your networks if you deem that
through risk analysis, this is protection you cannot do without.

Regards,

Tim 


-----Original Message-----
From: Seek Knowledge [mailto:aseeker03 () yahoo com] 
Sent: 03 May 2005 22:41
To: focus-ids () securityfocus com
Subject: Router/Switches and viruses

Does anyone have any first-hand experience with a
single infected desktop machine (or windows server for
that matter) taking out a LAN switch? Would anyone
have any stories from the trenches of an infected
machine causing a directly connected router to stop
functioning?

If so, what could be done to prevent such an outage?
What IDS/IPS strategy might one implement to prevent
and or at least detect such an event?

Thanks in advance.
ASeeker

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Router/Switches and viruses Seek Knowledge (May 04)
- Re: Router/Switches and viruses Per Engelbrecht (May 06)
- Re: Router/Switches and viruses Derek Nash (May 06)
- Re: Router/Switches and viruses Robert Holtz (May 06)
- Re: Router/Switches and viruses Kevin (May 06)
- Re: Router/Switches and viruses Jason Haar (May 06)
- RE: Router/Switches and viruses Wolfpaw - Dale Corse (May 09)
- <Possible follow-ups>
- Re: Router/Switches and viruses Chris Byrd (May 06)
- RE: Router/Switches and viruses Steven Williams (May 09)
- RE: Router/Switches and viruses THolman (May 19)