CCIE Security V4 Technology Labs Section 1:System Hardening and Availability

Transit Traffic Control with Flexible PacketMatching

Last updated: May 10, 2013

Task

Load the configuration files for this task.

Configure deep packet inspection on R3 to match a custom pattern attack known as the

W32.Blaster Worm. Use the following match criteria:

UDP Protocol port 69

IP packet length exceeding 402 bytes

Pattern match 0x20a29010 at 50 bytes from start of IP header, to match on 4 bytes

You should not need to configure an ACL to complete this task.

Assume that the attack is coming from the direction of R1.

Explanation and Verification

Flexible Packet Matching is a feature that allows for granular packet inspection in Cisco IOS

routers. Using FPM, you can match any string, byte, or even bit at any position in the IP (or

theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using

static patterns found in the attack traffic. Having a working understanding of the Wireshark

application will assist you in determining which patterns to match with the traffic in question. The

configuration is commanded using the C3PL method. Prior to configuring the policy, you must load

the Protocol Header Data File (PHDF). This is necessary because without it, the router can't

interpret where it is looking in a header. When the PHDF is loaded, you can proceed to configure

the class-maps, policy-maps, and service policies as required. Note that in the following solution,

an Access-list is not used, according to the requirements of this task.

R3:

R3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#load protocol system:fpm/phdf/ip.phdf

R3(config)#load protocol system:fpm/phdf/udp.phdf

R3(config)#

R3(config)#class-map type access-control match-all TASK1.16

R3(config-cmap)#match field UDP dest-port eq 0x45

R3(config-cmap)#match field IP length gt 0x192

R3(config-cmap)#match start l3-start offset 50 size 4 eq 0x20A29010

R3(config-cmap)#

R3(config-cmap)#class-map type stack match-all UDP

R3(config-cmap)#match field IP protocol eq 0x11 next UDP

R3(config-cmap)#

R3(config-cmap)#policy-map type access-control W32-Blaster-Block

R3(config-pmap)#description RW32.Blaster Worm Attack Policy Task 1.16S

R3(config-pmap)#class TASK1.16

R3(config-pmap-c)#drop

R3(config-pmap-c)#

R3(config-pmap-c)#policy-map type access-control TASK1.16-POLICY

R3(config-pmap)#class UDP

R3(config-pmap-c)#service-policy W32-Blaster-Block

R3(config-pmap-c)#

R3(config-pmap-c)#

R3(config-pmap-c)#

Now you can apply the configuration to the interface facing R1.

R3(config)#int f0/0.13

R3(config-subif)#service-policy type access-control input TASK1.16-POLICY

R3(config-subif)#end

R3#

Verify the configuration.

R3#show policy-map type access-control interface f0/0.13

FastEthernet0/0.13

Service-policy access-control input: TASK1.16-POLICY

Class-map: UDP (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps

Match: field IP protocol eq 0x11 next UDP

Service-policy access-control : W32-Blaster-Block

Class-map: TASK1.16 (match-all)

0 packets, 0 bytes

5 minute offered rate 0 bps

Match: field UDP dest-port eq 0x45

Match: field IP length gt 0x192

Match: start l3-start offset 50 size 4 eq 0x20A29010

drop

Class-map: class-default (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

Class-map: class-default (match-any)

5 packets, 450 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: any

R3#

Recommended Reading

FPM on the INE Blog (http://blog.ine.com/2009/06/14/understanding-flexible-packet-matching/)