• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 688
  • Last Modified:

Cisco Config Error, Outbound DNS Flood?

Hi,
I had a problem which I thought was related to a network worm, or similar, as per below question:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_22690462.html

To resolve this, I have reconfigured the cisco router, and the flood of outgoing udp DNS packets has stopped.
I can only assume that either a misconfiguration of the router is at fault, or the new config is just suppressing the traffic somehow, or the one remote access user, was still connected and causing the problems. Right now, I have disabled remote access from the router, with the new config. Please could someone review the below Cisco877W router config, that was configure by an unknown 3rd party, to see if anything in there, could be causing a flood of UDP DNS packets, all destined for different messenger sites, i.e. msn, yahoo and AOL...
I see there are entries in the config, I assume to try and block these sites, it just seems strange that the outbound traffic is all destined to these exact sites.

Thanks
ZM


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$KEsb$g1vVDWz3dM1zA.PcP0e84.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action reset alarm
    service text-chat action reset alarm
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action reset alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-818786155
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-818786155
 revocation-check none
 rsakeypair TP-self-signed-818786155
!
!
crypto pki certificate chain TP-self-signed-818786155
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 38313837 38363135 35301E17 0D303230 33303130 30313132
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3831 38373836
  31353530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BE00BF36 971DE897 A823EB6E 4F105CDD ED3F3587 714A5C11 CD68B0B0 031A97D4
  7CF33C9E C53BAA4D 5CCA8B98 112F15EF 5B096FFE DBBED199 A0523792 59242A0B
  B2ED6EE8 E00D9E7D E96FC77C 5E78E318 AA975CD2 26404957 11A7D23D D6FDF704
  166AF27D 542A0D5B C40C51F5 82A5A845 EFA84EDD E8B02B54 71A66AFC 29523633
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 168014DF 1315A2C1 391A21DA 5F714265 F556C0AE 7AEC4E30
  1D060355 1D0E0416 0414DF13 15A2C139 1A21DA5F 714265F5 56C0AE7A EC4E300D
  06092A86 4886F70D 01010405 00038181 0017AAE5 A6BB39BE A3672BE9 D746723C
  ECA65766 970FC9B0 ADF67F25 90A91BCB 6CFF3C78 EBFF2523 97C1BDD6 F910E575
  3B44A91E F53F9384 F655B378 34952D30 3C0A1C27 62275862 593782D6 6357A6BE
  6CF53F88 5119D0FF 53DD8778 20BA3FD7 EA571762 8473D30E 4468CB4A E034F530
  D5FF5819 D7E551BC DAA3CFF0 4AA837BE 10
  quit
!
!
username *** privilege 15 secret 5 $1$M02S$KB6qSApKXS3lC4Lq4geB2/
username *** privilege 0 secret 5 $1$Unwz$0aex9214hlDUOKUBxCGL60
username *** privilege 0 secret 5 $1$CbCy$PBZ.PxMBg/kwttFYa9vfn.
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ***
 key ***
 dns 192.168.1.1
 wins 192.168.1.1
 pool SDM_POOL_1
 netmask 255.255.255.0
!
!
crypto ipsec transform-set MZ esp-aes 256 esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set MZ
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no snmp trap link-status
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_HIGH out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ***.xadsl@xtra.co.nz
 ppp chap password 7 0600192F5D45500A57
 ppp pap sent-username ***.xadsl@xtra.co.nz password 7 03024D051704785F1C
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.50.0.0 10.50.0.10
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 10.50.0.0 any
access-list 101 permit ip host 10.50.0.1 any
access-list 101 permit ip host 10.50.0.2 any
access-list 101 permit ip host 10.50.0.3 any
access-list 101 permit ip host 10.50.0.4 any
access-list 101 permit ip host 10.50.0.5 any
access-list 101 permit ip host 10.50.0.6 any
access-list 101 permit ip host 10.50.0.7 any
access-list 101 permit ip host 10.50.0.8 any
access-list 101 permit ip host 10.50.0.9 any
access-list 101 permit ip host 10.50.0.10 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip any host 10.50.0.0
access-list 102 deny   ip any host 10.50.0.1
access-list 102 deny   ip any host 10.50.0.2
access-list 102 deny   ip any host 10.50.0.3
access-list 102 deny   ip any host 10.50.0.4
access-list 102 deny   ip any host 10.50.0.5
access-list 102 deny   ip any host 10.50.0.6
access-list 102 deny   ip any host 10.50.0.7
access-list 102 deny   ip any host 10.50.0.8
access-list 102 deny   ip any host 10.50.0.9
access-list 102 deny   ip any host 10.50.0.10
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
zimboman
Asked:
zimboman
  • 3
  • 3
1 Solution
 
lrmooreCommented:
There is nothing in your config that can account for a flood of DNS packets. However, this is an unfortunate side affect of MySpace.com. Opening a single page on MySpace can trigger dozens of DNS lookups because of all the links on the pages.
Here's a good article on this subject:
http://www.networkworld.com/news/2007/062207-myspace.html?page=1

I would simply block myspace ip addresses in the acl 100


0
 
zimbomanAuthor Commented:
Hi, thanks - that's good to know.
However this flood of excessive traffic happened 24/7 - even with everyone off the network. The network only consists of 12 PC's, and they were uploading 1.5GB of traffic a day. The router was uploading at full speed, with hardly anyone browsing at all. The dns traffic packets were going from the server, to the router and destined to all the messenger site servers that are listed in the config above. Is it possible the network was hacked somehow, and used as a DoS bot or similar?
I guess we will not know?

0
 
lrmooreCommented:
Wow, that's scarey! I'd say a definite possibility of trojans/virii/worms/malware

>To resolve this, I have reconfigured the cisco router
What exactly did you change?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
zimbomanAuthor Commented:
I have scanned the entire network, and all pc's / server have updated AV and have run deep AV scans.

I just reconfigured the router from scratch, leaving out the remote access components..?
0
 
lrmooreCommented:
Are you getting lots of hitcounters on your acl 101 ?
 sho ip access-list 101
0
 
zimbomanAuthor Commented:
Sorry but I had already reconfigured the unit, with a basic configuration, so I can't check any hitcounters etc.

Oh well, thanks for your help, but I guess I will never know. I will assign points for the Myspace DNS issue, but I guess the issue is not really solved.

Thanks,
ZM
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now