Re: DSCP

azmath.hk · ‎11-29-2006

All,

Problem was started, when one user was not able to access some websites.

So we decided to run ?debug ip packet ? on our router (perimeter device) and noticed that packet was getting dropped on our router, because of the following policy-map mark_http_hacks access-list .

class-map match-any http_hack

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*SAMPLE*.exe*"

match protocol http url "*sample*.exe*"

match protocol http url "*riched20.dll*"

match protocol http url "*cool.dll*"

match protocol http url "*sample.eml*"

match protocol http url "*httpodbc.dll*"

match protocol http url "*readme2.eml*"

match protocol http url "*readme.eml*"

match protocol http url "*admin.dll*"

!

policy-map mark_http_hacks

description policy map that marks inbound http hacks

class http_hack

set ip dscp 1

access-list 110 deny ip any any dscp 1 log

access-list permit ip any any

After that one of our colleague decided to change the value from ?set ip dscp 1? to ?set ip dscp 2? and modified the same value in extended access-list (deny ip any any dscp 2 log), As soon as he changed he was able to browse without any problem.

Now, I would like to explore more on the same by asking you the following question:-

Why packet was getting dropped on our router?

By changing the value are we compromising with our network security?

Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP

Thanks is advance.

Regards,

Khan

azmath.hk · ‎11-29-2006

please help me out

jgervia_2 · ‎11-29-2006

OK,

Here's the deal, from a 'overview' perspective.

Any packet(http) that has a URL that contains any of those strings that are in the quotes basically gets marked, and anything matching that mark gets dropped and logged.

Are you a little less secure because of this? Yes. Several of those lines deal with blocking code red:

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#markinboundhacks

sample.exe/riche20.dll/cool.dll blocking is probably because of Nimda or a variant, and the others appear to be a remote admin hack.

(Quick tip: google those file names (ie admin.dll) and the word 'virus' in google and you can read up on them.

What you did by setting them to dscp 2 is that your access list only blocks stuff marked with dscp 1. By setting everything to 2, it doesn't match that line and is allowed out.

What you need to find out is what it is getting dropped on (in theory you're logging that)

Here's some more information on dscp:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b2409.html

Hmmm, I just reread your note about setting both the policy map and access-list to dscp 2 - I would *verify* that it is the case.

The other thing is, look at that site and see why it is matching any of those strings.

--Jason

Please rate this message if it solved or answered some or all of your question/issue.

azmath.hk · ‎11-30-2006

Hi jason,

Thank you very much for your response.

First, we are changing setting to 2 in both (policy map and access-list), so how come we are ignoring those strings. See the following.

? dscp1?required for all classes. Specifies one of 64

DSCP values from 0 to 63. This DSCP value corresponds

to drop precedence 1.

Chhetry, Prakash says:

dscp2?(Optional for AF classes) Specifies one of 64

DSCP values from 0 to 63. This DSCP value corresponds

to drop precedence 2.

? dscp3?(Optional for AF classes) Specifies one of 64

DSCP values from 0 to 63. This DSCP value corresponds

to drop precedence 3.

I just need little more detailed notes on DSCP 1 and 2.

Still I do not understand why it is working when we change it to 2?

How do we verify that those websites whether they are matching any of the strings which we have specified in out access-list.

Regards,

Khan