1. Switch Flooding 2. Chains traversal

1. Switch Flooding 2. Chains traversal

[venkata subramanian]

Hi,
1. Switch Flooding
       We have a nice problem in our organisation. Due to viruses,
some windows machine or the other starts flooding the network with
packets. And, in the end, one of our switches comes down making us to
manually restart the switch.
       I don't (intuitively) see how iptables can help in this
scenario.... But, I want to know whether any solution exists to this?
If I make all the machine's gateway as a linux system, and rate limit
the packets there will it help?
    
2. Chain traversal
       Why is this chain traversal looking complicated? if there is
atleast one rule in every inbuilt chain, it seems that there are many
possible permutations of the chain traversal. How do you guys manage
with it?

Re: 1. Switch Flooding 2. Chains traversal

[/dev/rob0]

On Tuesday 2005-September-13 23:35, venkata subramanian wrote:
> 1. Switch Flooding
>        We have a nice problem in our organisation. Due to viruses,
> some windows machine or the other starts flooding the network with
> packets. And, in the end, one of our switches comes down making us to
> manually restart the switch.

What kind of traffic is it? I've not seen layer 2 problems with viral 
machines. Maybe we caught ours before it got that bad.

>        I don't (intuitively) see how iptables can help in this
> scenario.... But, I want to know whether any solution exists to this?

Don't allow Windows machines out to the Internet. :)

Unless you're going to have firewalls between the infected machines and 
the switches, I don't think you can stop it that way.

> If I make all the machine's gateway as a linux system, and rate limit
> the packets there will it help?

Most of these infections are either spyware or spamware (or both). The 
spamware can be slowed down (but not stopped) by not allowing Windows 
clients out on 25/tcp.

Spyware generally phones home on port 80/tcp, although this is not a 
sure thing. HTTP proxying can control this. Both the SMTP and HTTP 
controls can help identify infected machines for reinstallation.

I use DNS poisoning to limit the damage at some sites. My nameserver 
claims authority for certain known hostile domains, and points a 
wildcard A record at an internal server. The httpd error logs at that 
server rapidly fill up with 404's when infected machines are running.

> 2. Chain traversal
>        Why is this chain traversal looking complicated? if there is

Power! :)

> atleast one rule in every inbuilt chain, it seems that there are many
> possible permutations of the chain traversal.

For any given packet, no, it can only come out one way. (This offer 
void, where taxed or prohibited by law, or where you're using limiting 
or strange stuff like fuzzy or random matching.)

It's handy, also, knowing that each packet only hits one of the built- 
in chains. (With the caveat that loopback packets hit OUTPUT on the way 
out and then INPUT on the way in.)

> How do you guys manage with it?

Think of it like a programming language. That's a good analogy. You 
check for conditions and branch based upon the results.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: 1. Switch Flooding 2. Chains traversal

[lst_hoe01]

Zitat von venkata subramanian <venkatasubramanian@gmail.com>:

> Hi,
> 1. Switch Flooding
>       We have a nice problem in our organisation. Due to viruses,
> some windows machine or the other starts flooding the network with
> packets. And, in the end, one of our switches comes down making us to
> manually restart the switch.
>       I don't (intuitively) see how iptables can help in this
> scenario.... But, I want to know whether any solution exists to this?
> If I make all the machine's gateway as a linux system, and rate limit
> the packets there will it help?

Use a better switch. We once had a cheap 3Com (4300-48 Ports) which had 
the same
behavior with ping-flood to many invalid IP-Adresses. I guess it was a error
with the ARP handling. Once the switch was replaced by a 4400-48 (which is
really 3Com not re-branded crap) the problem was gone.
Best solution is of course to fix the virus-machines in your network.

Regards

Andreas

Re: 1. Switch Flooding 2. Chains traversal

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 Sep 2005 lst_hoe01@kwsoft.de wrote:

> Zitat von venkata subramanian <venkatasubramanian@gmail.com>:
>
>> Hi,
>> 1. Switch Flooding
>>       We have a nice problem in our organisation. Due to viruses,
>> some windows machine or the other starts flooding the network with
>> packets. And, in the end, one of our switches comes down making us to
>> manually restart the switch.
>>       I don't (intuitively) see how iptables can help in this
>> scenario.... But, I want to know whether any solution exists to this?
>> If I make all the machine's gateway as a linux system, and rate limit
>> the packets there will it help?
>
> Use a better switch. We once had a cheap 3Com (4300-48 Ports) which had the 
> same
> behavior with ping-flood to many invalid IP-Adresses. I guess it was a error
> with the ARP handling. Once the switch was replaced by a 4400-48 (which is
> really 3Com not re-branded crap) the problem was gone.
> Best solution is of course to fix the virus-machines in your network.
>


Interesting, all sorts of advice and suggestions, except the real answer, 
which would entertain the idea of finding the affending, perhaps infected 
system<s> and fixing  or taking them off the network till fixed.

In seeking other solutions to this problem I get the impression there are 
other problems in the institution itself that need to be rectified.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDKH0sst+vzJSwZikRAi3xAKDQhQCFWNVdY0evvMK0fQbXfKaDZgCeLixk
cOVGYPLTVPR4y5G29PqfoME=
=zDJJ
-----END PGP SIGNATURE-----

Re: 1. Switch Flooding 2. Chains traversal

[lst_hoe01]

Zitat von "R. DuFresne" <dufresne@sysinfo.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 14 Sep 2005 lst_hoe01@kwsoft.de wrote:
>
>> Zitat von venkata subramanian <venkatasubramanian@gmail.com>:
>>
>>> Hi,
>>> 1. Switch Flooding
>>>       We have a nice problem in our organisation. Due to viruses,
>>> some windows machine or the other starts flooding the network with
>>> packets. And, in the end, one of our switches comes down making us to
>>> manually restart the switch.
>>>       I don't (intuitively) see how iptables can help in this
>>> scenario.... But, I want to know whether any solution exists to this?
>>> If I make all the machine's gateway as a linux system, and rate limit
>>> the packets there will it help?
>>
>> Use a better switch. We once had a cheap 3Com (4300-48 Ports) which 
>> had the same
>> behavior with ping-flood to many invalid IP-Adresses. I guess it was a error
>> with the ARP handling. Once the switch was replaced by a 4400-48 (which is
>> really 3Com not re-branded crap) the problem was gone.
>> Best solution is of course to fix the virus-machines in your network.
>>
>
>
> Interesting, all sorts of advice and suggestions, except the real 
> answer, which would entertain the idea of finding the affending, 
> perhaps infected system<s> and fixing  or taking them off the network 
> till fixed.

You have not read my posting until the end ...

"Best solution is of course to fix the virus-machines in your network"

Regards

Andreas

Re: 1. Switch Flooding 2. Chains traversal

[/dev/rob0]

On Thursday 2005-September-15 03:56, lst_hoe01@kwsoft.de wrote:
snip
> >> Best solution is of course to fix the virus-machines in your
> >> network.
> >
> > Interesting, all sorts of advice and suggestions, except the real
> > answer, which would entertain the idea of finding the affending,
> > perhaps infected system<s> and fixing  or taking them off the
> > network till fixed.
>
> You have not read my posting until the end ...
>
> "Best solution is of course to fix the virus-machines in your
> network"

Yes, that was puzzling. The very answer he said was missing, quoted. I 
too suggested ideas to locate the machines which needed to be fixed. I 
did not have the impression that the OP was unaware that these machines 
needed to be fixed.

When we had a problem with viruses, our issue was in finding the 
perpetrators without making personal visits (even via VNC) to each 
machine (even non-infected ones.)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: 1. Switch Flooding 2. Chains traversal

[Taylor, Grant]

venkata subramanian wrote:
> Hi,
> 1. Switch Flooding
>        We have a nice problem in our organisation. Due to viruses,
> some windows machine or the other starts flooding the network with
> packets. And, in the end, one of our switches comes down making us to
> manually restart the switch.
>        I don't (intuitively) see how iptables can help in this
> scenario.... But, I want to know whether any solution exists to this?
> If I make all the machine's gateway as a linux system, and rate limit
> the packets there will it help?
>     
> 2. Chain traversal
>        Why is this chain traversal looking complicated? if there is
> atleast one rule in every inbuilt chain, it seems that there are many
> possible permutations of the chain traversal. How do you guys manage
> with it?

Basically you are dealing with a different issue when a switch can not handle things.  Seeing as how the switch is (usually) the device that all your client computers are connected to and then uplinked in to your firewall / router the firewall / router will not be able to do much for you at all if the problem is in the physical path before the traffic reaches it.  The best thing that I can think of would be to find out why the switch failed and possibly replace it.

If it was b/c of the ARPing issue mentioned by lst_hoe01 you may want to see if you could not have a process run on your firewall / router (or another system) that would answer all the ARP requests and receive the traffic so that the switch did not get confused and thus crash.  But that is not a very nice thing to do to a system any way.  In short sniff the traffic and see if it is something that can be mitigated.  You may want to look at putting an IDS in place to detect the traffic and respond to it before your switch goes down (presuming that there was a degradation period before the switch crashed).  You may be able to have an IDS detect that a port is going nuts and shut it down via SNMP management to the switch that it is connected to.



Grant. . . .