MyDoom Tutorial Comments

Discussion in 'Cisco' started by Jim Saunders, Feb 11, 2004.

  1. Jim Saunders

    Jim Saunders Guest

    Hello All,

    I am basically asking for your comments on a little tutorial I have written
    on how to block (or at least slow down) the MyDoom virus using a Cisco
    router.

    Oh my website front page http://www.jlsnet.co.uk/ (or see below) I have
    written what I think are a few possibilities on how to block three aspects
    of the virus, namely Blocking ports 3127 - 3198, blocking kazaa on ports
    udp/tcp 1214, and blocking unauthorised SMTP servers.

    I would greatly appreciate your comments on this tutorial, whether you think
    that I am on the right tracks with this, or if you have any other comments
    or tips to help block MyDoom

    I am still really a cisco beginner and have started this site to help the
    average beginner cisco home network user like me, as at times the Cisco site
    can get a bit overwhelming.

    thank you for you help,

    Jim

    Copy from my website...
    =================================

    For all those looking for a way in which to block the W32/MyDoom (and
    Cousins) virus which is spreading fast across the internet, as far as I know
    there is not really any way in which you can use a Cisco router to block the
    actual virus transported within emails, in the same way in that there was no
    easy way to block the W32/Swen virus a few months ago. But you can block
    some of its actions. Looking at the F-Secure virus description .....
    "Mydoom is a worm that spreads over email and Kazaa p2p network."
    and
    "This file will sequentially open TCP ports from 3127 to 3198, listening on
    them for incoming connections. One of the possibilities this backdoor offers
    is to receive an additional executable and run it on the already infected
    machine. "
    So, blocking Kazaa which uses port 1214 and blocking ports 3127 - 3198 may
    be one idea...

    # Block Kazaa File Sharing
    access-list 101 deny tcp any any eq 1214
    access-list 101 deny udp any any eq 1214
    # Block MyDoom Ports
    access-list 101 deny tcp any any range 3127 3198

    # Allow all other traffic
    access-list 101 permit ip any any

    The config above will block all traffic, to and from any ip address (0.0.0.0
    255.255.255.255) using the specific ports used by MyDoom. Since one other
    way that MyDoom propagates itself is via mass emailing, one other thing you
    could do is block all unauthorised traffic to unknown SMTP (Small Mail
    Transfer Protocol) servers. Allowing only mail to be sent through a handfull
    of known servers..

    # Block Unauthorised SMTP
    access-list 101 deny tcp any any eq 25
    # Allow Authorised SMTP Server Only
    access-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x 25

    Where x.x.x.x are the IP/NetMask addresses of the authorised SMTP server and
    the network addresses of the network.

    now apply this to your external interface...
    interface Ethernet0/1
    ip access-group 101 out
    ip access-group 101 in

    You may also want to add "log" to the end of the access-list statements
    above, so you can see whether or not the virus is active and attempting to
    use these ports. Be aware that the ports 3127 - 3198 may be used for
    legitimate traffic, in which case this solution would cause problems.
    Please note: I do not claim to be an expert and this is by no means THE
    solution to blocking the virus, it is only a quick workaround to part of the
    problem. The best way to block such email viruses would be to block them at
    their source, i.e. the Email servers.
     
    Jim Saunders, Feb 11, 2004
    #1
    1. Advertising

  2. Program ended abnormally on 11/02/2004 04:15, Due to a catastrophic Jim Saunders
    error:
    > Hello All,
    >
    > I am basically asking for your comments on a little tutorial I have written
    > on how to block (or at least slow down) the MyDoom virus using a Cisco
    > router.
    >


    In general, that tutorial is good and easy enough to follow, but there is a
    slight problem (which you hint on at the end of your tutorial) with your
    access-list: it will randomly block valid connections through your router if
    the source port used by the station happens to be one of the blocked ports, the
    return traffic will be blocked. For TCP sessions, it can easily be fixed, but
    for UDP traffic it is a lot harder. If you are more concerned by the spread of
    the virus than having a timeout here and there for other things, you can leave
    the ACL as it is, but if your network has some "mission-critical" application
    that can not tolerate those timeouts, see my comments below.

    > Oh my website front page http://www.jlsnet.co.uk/ (or see below) I have
    > written what I think are a few possibilities on how to block three aspects
    > of the virus, namely Blocking ports 3127 - 3198, blocking kazaa on ports
    > udp/tcp 1214, and blocking unauthorised SMTP servers.
    >
    > I would greatly appreciate your comments on this tutorial, whether you think
    > that I am on the right tracks with this, or if you have any other comments
    > or tips to help block MyDoom
    >
    > I am still really a cisco beginner and have started this site to help the
    > average beginner cisco home network user like me, as at times the Cisco site
    > can get a bit overwhelming.
    >
    > thank you for you help,
    >
    > Jim
    >
    > Copy from my website...
    > =================================
    >


    [snip]

    >
    > # Block Kazaa File Sharing
    > access-list 101 deny tcp any any eq 1214
    > access-list 101 deny udp any any eq 1214
    > # Block MyDoom Ports
    > access-list 101 deny tcp any any range 3127 3198
    >
    > # Allow all other traffic
    > access-list 101 permit ip any any


    You should start by adding this line at the top of your access-list

    access-list 101 permit tcp any any established

    This will allow return traffic from valid TCP sessions to go through the
    access-list even though the source port of the original packet happened to fall
    in one of the blocked ranges. For example:

    From PC to www.cisco.com:

    Src add: x.x.x.x Src port: 1214
    Dest add: 198.133.219.25 Dest port: 80
    Flags: SYN

    Reply from web server:

    Src add: 198.133.219.25 Src port: 80
    Dest add: x.x.x.x Dest port: 1214
    Flags: SYN ACK

    With your original ACL, the reply would be blocked as it uses a destination port
    of 1214, but with the line I added to it, the router will see the "ACK" flag and
    let the packet through as it is a response to an earlier packet that was allowed
    out.

    Unfortunately UDP has no concept of "established" sessions, so if you want to
    block the Kazaa port while not blocking valid UDP traffic that might happen to
    use 1214 as a source port, you will have to modify your ACL according to your
    network addressing scheme and the types of UDP traffic you might want to allow
    (e.g. DNS, SNMP, syslog, etc.) For example, let's say you have a DNS and a
    network management console on your network that you want to be accessible from
    the other side of your router.

    x.x.x.1 DNS
    x.x.x.2 Mgmt console

    # Access-list 101 is to block outgoing traffic
    # This will allow DNS responses back out
    acesss-list 101 permit udp host x.x.x.1 eq dns any

    # Insert your SMTP server stuff here
    # But I will comment on the ACLs required further down.

    # Block Kazaa File Sharing
    access-list 101 deny tcp any any eq 1214
    access-list 101 deny udp any any eq 1214
    # Block MyDoom Ports
    access-list 101 deny tcp any any range 3127 3198

    # Allow all other traffic
    access-list 101 permit ip any any

    # Access-list 102 is to block incoming traffic
    # Allow valid return traffic as per my earlier comment
    access-list 102 permit tcp any any established

    # Allow DNS responses
    access-list 102 permit udp any eq dns host x.x.x.1

    # Allow Network management stuff
    access-list 102 permit udp any eq snmp host x.x.x.2
    access-list 102 permit udp any eq syslog host x.x.x.2

    # Block Kazaa File Sharing
    access-list 101 deny tcp any any eq 1214
    access-list 101 deny udp any any eq 1214

    # Block MyDoom Ports
    access-list 101 deny tcp any any range 3127 3198

    # Allow all other traffic
    access-list 101 permit ip any any

    If this is an Internet-connected router, your ACL should block all kinds of
    other stuff as well, but they are outside the scope of this tutorial.

    > The config above will block all traffic, to and from any ip address (0.0.0.0
    > 255.255.255.255) using the specific ports used by MyDoom. Since one other
    > way that MyDoom propagates itself is via mass emailing, one other thing you
    > could do is block all unauthorised traffic to unknown SMTP (Small Mail
    > Transfer Protocol) servers. Allowing only mail to be sent through a handfull
    > of known servers..


    FYI, the S in SMTP stands for "simple", not "small".

    >
    > # Block Unauthorised SMTP
    > access-list 101 deny tcp any any eq 25
    > # Allow Authorised SMTP Server Only
    > access-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x 25
    >


    That ACL is in the wrong order. ACLs are processed top-down, so all the SMTP
    traffic will be blocked by the first line and noe of it will make it to the
    second line. You need to reorder it this way:

    # Allow Authorised SMTP Server Only
    access-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x 25
    # Block Unauthorised SMTP
    access-list 101 deny tcp any any eq 25

    > Where x.x.x.x are the IP/NetMask addresses of the authorised SMTP server and
    > the network addresses of the network.
    >
    > now apply this to your external interface...
    > interface Ethernet0/1
    > ip access-group 101 out
    > ip access-group 101 in
    >


    Of course, now since we have two ACLs, we need to change this to:

    interface ethernet 0/1
    ip access-group 101 out
    ip access-group 102 in

    > You may also want to add "log" to the end of the access-list statements
    > above, so you can see whether or not the virus is active and attempting to
    > use these ports.


    Always a smart move! This has the added benefit of allowing you to see if your
    ACL is blocking valid traffic as well, in which case you can hopefully modify it
    before your boss comes down screaming at you.

    > Be aware that the ports 3127 - 3198 may be used for
    > legitimate traffic, in which case this solution would cause problems.
    > Please note: I do not claim to be an expert and this is by no means THE
    > solution to blocking the virus, it is only a quick workaround to part of the
    > problem. The best way to block such email viruses would be to block them at
    > their source, i.e. the Email servers.


    Feel free to include my comments to your tutorial.

    DISCLAIMER: I have only had 1/2 cup of coffee, I'm sure I made a silly ACL
    mistake for which Hansang will surely correct me, as usual. *sigh*
    --
    Francois Labreque | The surest sign of the existence of extra-
    flabreque | terrestrial intelligence is that they never
    @ | bothered to come down here and visit us!
    videotron.ca | - Calvin
     
    Francois Labreque, Feb 11, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Larry Samuels

    Updated Security alert!! W32/Mydoom@MM

    Larry Samuels, Jan 29, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    523
    Consultant
    Jan 29, 2004
  2. Larry Samuels

    Updated Security alert!! W32/Mydoom@MM

    Larry Samuels, Jan 29, 2004, in forum: MCSE
    Replies:
    10
    Views:
    799
    The Poster Formerly Known as Kline Sphere
    Jan 29, 2004
  3. ian

    I-worm/MyDoom prob

    ian, Jan 28, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    522
    Harrison
    Jan 28, 2004
  4. T

    mydoom

    T, Feb 1, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    606
  5. Bob B

    w32.mydoom

    Bob B, Feb 3, 2004, in forum: Computer Support
    Replies:
    20
    Views:
    1,220
    Boomer
    Feb 5, 2004
Loading...

Share This Page