Session 4 Case Study

1
Session 4Case Study Discussion

• NBAR
• Remote Triggered Black Hole
• Phishing
• Routing Security
• Discussion

2
NBAR
3
NBAR

• class-map match-any codered
• match protocol http url "default.ida"
• match protocol http url "cmd.exe"
• match protocol http url "root.exe"
• policy-map mark-codered
• class codered
• set ip dscp 1
• int s 0
• service-policy input mark-codered
• access-list 100 deny ip any any dscp 1
• access-list 100 permit ip any any
• int e 0
• ip access-group 100 out

4
Remote Triggered Black Hole

• Lab

5
Phishing

• ????????????,IP??AAA.AAA.AAA.AAA
  ????????,????????,????????????,???????????????,???
  ??

6
Phishing Website
7
Process

• 1. ???????????????
• 2. ????????,????????????

8
Server situation

• Windows 2000 sp4
• Latest patches
• Norton Antivirus,latest virus definition
• Firewall,only port 80
• Complicated administrator password

9
Check Log

• ????????????????Index.htm 2005?11?26?231755
• ????IIS????????????????????

10
Check Log

• ??,??????????web???????????????????,???????????,??
  ??????????????????8???,??????????15?????????23??

11
Check Log

• ??????IIS???????????????
• 1. 2005-11-26 151745 192.168.1.1 POST
  /admin.asp
• ActionUpFileAction2Post 80 - 220.201.17.3
  Mozilla/4.0(compatibleMSIE6.0Windows98A
  lexaToolbar) 200 0 0
• 2. 2005-11-26 151759 192.168.1.1 GET
  /images/index.htm - 80 - 220.201.17.3
  Mozilla/4.0(compatibleMSIE6.0Windows98Ale
  xaToolbar) 200 0 0

12
Trojan

• admin.asp ???ASP??????
• ??
• 1. ????
• 2. ???????
• 3. ???????
• 4. ?????????
• ????????????????

13
Trojan

• ????admin.asp????????
• 2005?11?26?220159
• ?????????IIS??,??????
• 2005-11-26 140159 192.168.1.1 POST
  /UploadFiles/20051126215655189.asp - 80 -
  67.15.22.36 Mozilla/4.0(compatibleMSIE6.0Win
  dows98AlexaToolbar) 200 0 0

14
Trojan

• 20051126215655189.asp???????admin.asp?????????asp?
  ?,???????????
• ???????????
• 2005?11?26?215655
• ????IIS??
• 2005-11-26 135655 192.168.1.1 POST
  /upfile_article.asp - 80 - 220.201.17.3
  Mozilla/4.0(compatibleMSIE5.01WindowsNT5.0
  ) 200 0 0

15
Trojan

• upfile_article.asp??????????????,?????????????????
  ??????????????asp????,????????????????????????????
  ?????????,?????????????
• There is a security leak in the file!

16
Measure

• ????????????????,????????????asp????,?????????????
  ,?????????????????

17
Summary

• ??????????????????????????????????????????????????
  ,???????????????

18
Routing Security

• Prefix-list filter

19
(No Transcript)
20
neighbor 203.222.38.4 remote-as 1239 neighbor
203.222.38.4 description to-sprint-HK-2x622M
neighbor 203.222.38.4 ebgp-multihop 2 neighbor
203.222.38.4 update-source Loopback0 neighbor
203.222.38.4 version 4 neighbor 203.222.38.4
send-community neighbor 203.222.38.4
soft-reconfiguration inbound neighbor
203.222.38.4 distribute-list 26 in neighbor
203.222.38.4 prefix-list CERNET2 out neighbor
203.222.38.4 route-map sprint-622m-in in
neighbor 203.222.38.4 route-map sprint-622m-out
out
route-map sprint-622m-in permit 10 set
local-preference 280 set community 45381239
45384789 additive
route-map sprint-622m-out permit 10 set as-path
prepend 4538 4538 4538 set community 650004635
21
hk-r0p-bgwsh ip bgp nei 203.222.38.4
received-routes in 192.0.2.0 gti 192.0.2.0/24
203.222.38.4 2113 0 1239 i
ip prefix-list defaul seq 5 deny 192.0.2.0/24 ip
prefix-list defaul seq 10 permit 0.0.0.0/0 le 32
neighbor 203.222.38.4 remote-as 1239 neighbor
203.222.38.4 description to-sprint-HK-2x622M
neighbor 203.222.38.4 ebgp-multihop 2 neighbor
203.222.38.4 update-source Loopback0 neighbor
203.222.38.4 version 4 neighbor 203.222.38.4
send-community neighbor 203.222.38.4
soft-reconfiguration inbound neighbor
203.222.38.4 prefix-list CERNET2 out neighbor
203.222.38.4 prefix-list defaul in neighbor
203.222.38.4 route-map sprint-622m-in in
neighbor 203.222.38.4 route-map sprint-622m-out
out
22
Discussion
23

• End
• Thanks