Re: IOS coomand or tool to identify viruses/worms in my network

dataline · ‎12-18-2004

This is first time i am posting my question.so plz bear with me. I want to know which IOS command will show me viruses/worms/malicious traffic in my router.

Also what is use of command " ip route-cache flow ".?

Help needed from u expert guys

scottmac · ‎12-19-2004

Aside from LAN virus scanners and Intrusion Dection Systems (IDS), I'm not aware of any specific tool that would help.

You generally have to chase a few symptoms, for example:

If you find that you cannot connect via telnet, ssh, or console ... one of the chief suspects is a worm / virus / trojan. If you can disconnect one of the high-speed interfaces and get in, you almost certainly have a bug. This is because the router's priority is to move packets ... not handle the console.

Other symptoms are primarily statistic related ... looking for high cpu loads (sh proc cpu), high buffer utilization (can be congestion at the far end as well - sh buffers), and, if you're NAT'ed, an extremely high translation count ... usually from only a couple sources to one or two destinations and the same port numbers.

The basic guideline is to monitor the dynamic resources and investigate numbers that are high. Removing the / a LAN interface should cause the numbers to drop radically.

Note: Users that are using a streaming service like BitTorrent or KaZaa can also put an ugly load on the network - the applications put themselves into "server mode" and begin to suck up bunches of bandwidth (all that you have, if they can).

Your best defense there is to make sure the network use policy has those topics covered, track down the offending IP addresses, match up the MAC addresses on the switches (ARP / CAM tables), then beat the crap out of the users that are sucking up all the bandwidth.

Route cache is a mechanism to speed up the passing of traffic through the switch / router.

The traditional process is to send the inbound traffic to the processor, who does the route evaluation and disposition of the packet.

With a route cache, once the traffic has been evaluated the forwarding parameters are stored (usually until some definable timeout) and any additional packets received from the same source, to the same destination, using the same ports, are sent on according to the information stored in the table (no direct processor intervention).

The lookup process is much quicker than a process evaluation and can be handled by a co-processor or ASIC.

FWIW

Scott

paddyxdoyle · ‎12-20-2004

You can use netfow to help identify viruses, worms on your network

"show ip route-cache flow" will show you the table of current tcp / udp sessions inclusing source/destination IP address, source/destination port numbera and more..

Using this flow cache you can easily and quickly identify hosts that are infected with viruses.

An example of this would be seeing 200+ entries for the same host IP address, the destination IP address for each of these entries (from the same source address) is incrementing by one and the port number is a well know vulnerable port e.g. 135

So this would indicate that your host is scanning a block of addresses looking for vulnerable hosts listening on port 135

It works well and has definately helped me identify virus outbreaks.

Have a look here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7f9.html

HTH

Paddy

dataline · ‎01-01-2005

dear Scott, Thnx a lot for help.

Patrick Iseli · ‎01-01-2005

Another approch could be an application as ntop.

Why? Because Virus and Worm infected stattions produce a lot of traffic and are with a tool as ntop easy to identify. Check for top host and what protocols and ports they are using.

NTOP uses real time statistics !

see opensource: http://www.ntop.org/ntop.html

sincerely

Patrick