Zombie Outbreak Prevention or how to kill your network.   July 6th, 2009

aip20Had and interestging call with a client today.  Initially they though that thier AIP20 IPS module had died.  In the process they lost almost all communication to the internet.  At first I was affraid that I had not used ips inline fail-open sensor vs0 and that the unit had failed and blocked all traffic.  However once I was on site after I pulled the config it was clear that I had configured it correctly.

Straight from there I pulled the redirect policy to get teh IPS out of the mix and bring them back online.  The effect instant bandwidth soared and they were back in buissiness.  Next I took a few minutes to work through what happened with the client.  Come to find out thier ISP notified them that they were exibiting symptoms of being in a bot-net.  When the client did not initially see activity that would validate that on their ASA or in the IPS logs they decided to up the anty and applied the entire Virus/Trojan list of signatures.  Instantly they lost connectivity to their ISP and upstream.  From there I dove into the IPS logs to see what was triggering.  Thousands of entries for the Outbreak Prevention Signature were the only thing we saw.  So from there I dug into the bottom of the Virus/Trojan list and found a Primary Outbreak Prevention Signature and two sub signatures.  Without goind super deep into this mess those signatures classify all TCP (SYN,ACK and FIN), UDP and TCP as a high threat.  In the case of this customer and most all high threats are denied inline.

So there ya go how to kill your network in one simple apply command.  Not that there are not hundreds more of those.  But this one is a bit more interesting considering it is not notated or deprecated in the signature list.  As a matter of fact it was designed for a product that Cisco no longer sells or supports, Cisco Incident Control System (ICS). This link details the signature and its purpose a bit more.

Anyway with all that said avoid these signatures unless the zombies get loos in your network.

More From joshobrien77

Blog Margeting Related Posts Plugin For joshobrien77Ask joshobrien77 To Recommend Your Posts Blog Marketing Related Posts Plugin Counter

Be Sociable, Share!
This entry was posted on Monday, July 6th, 2009 at 2:44 pm and is filed under Errata. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.