Nimda (Code Blue) Virus

Problem Description A new virus exists called the Nimda virus. It is similar to the Code Red virus, except that the Nimda virus uses e-mail to transport itself. The Nimda virus is basically the same virus or something built off of the same concept as Code Red, but it can spread via infected e-mail like the I Love You virus. Someone only needs to receive and open an infected mail message to be affected. The virus then uses the infected station to mail itself to all of the entries in its address book. In addition, the virus begins to sweep through the IP address range with port 80 traffic. This means that any Layer 3 switch in the path will get hit with all of these packets and then have to switch/route to IP addresses that may not exist. These non-existent IP addresses will be pulled up to the CPU and begin an address resolution protocol (ARP) process. Since these addresses cannot be found, this results in ARP incompletes and wastes CPU resources. The IPFDB will also fill up with all of the traffic for the existing addresses because the infected workstations will eventually sweep out the entire address range. To the switch, it will be as though the infected workstations IP source address tried to communicate to every other IP address. It is suspected that the virus writers would take the IP address of the infected station and step up a few classes to sweep the network. For example, the virus would sweep 16.x.x.x/8, for an infected station of 16.1.1.1/24. The virus also sweeps using other TCP/UDP ports that may have been open on the infected workstation. This could bog down other active IP addresses with similar open ports.

Problem Symptom In order to determine whether a Layer 3 Extreme switch is processing the Nimda virus related traffic, you can use the Command Line Interface (CLI) to check the following: show iparp Look for IPARP incompletes. This is a result of the switch ARPing for IP addresses that do not exist. show ipstats Look for dramatic increases in the counters. This indicates traffic being processed by the CPU. Rapid increments of the IP unicast counter can indicate an attack from either inside or outside. show ipfdb Look for the size of the IPFDB table to be larger than normal. If your ipfdb fills rapidly and this is not the usual behavior of your network, it is possible that there is a virus inside your network. (With a large IPFDB, be sure that clipaging is enabled (default setting) and press Q after the first page of the list. Totals will be displayed.) top Look for a high tnetTask. This is an indication that there is slow path traffic which can be due to unknown IP addresses and ARPing.

3585 Monroe Street, Santa Clara, CA 95051 Phone (408) 579-2800 Fax (408) 579-3000 www.extremenetworks.com

Solution Since the Nimda virus uses http port 80, it is almost impossible to stop its effect entirely. This is because we cannot differentiate this traffic from legitimate port 80 traffic. Ultimately, the solution is to remove the infected stations from the network until an anti-virus patch can be applied to the workstation. In order to locate the affected workstation, use a sniffer on the network. It will be very easy to pick up the infected workstations because they will be generating a stream of port 80 traffic to numerous addresses. To make it easy to detect the infected IP source address, you need to filter on port 80 and look through the captures for suspicious IP addresses that are generating a lot of port 80 traffic to entire ranges of IP destination addresses. The net objective is to find the infected workstation IP source address via a sniffer. Some viruses create a SYN-flood that will cause your devices CPU to respond to every connection request, raising CPU load and potentially disrupting high-level processes like ESRP, OSPF and BGP. These requests usually target TCP port 80 (http) and will possibly try to infect web servers. In order to protect your i series switches from being flooded with requests, you can create an IP access control list (ACL) that will block any request to port 80 (NOTE: web management interface will not work). ACLs are handled in the hardware so they will not affect performance of the switch. The following ACL will block all http traffic for the IP interfaces of VLAN A, B and C and permit all other traffic. If you have ACLs applied to your switch already, or have specific settings for your web servers, please adjust the example (below) as you see fit. create access-list default_rule ip dest 0.0.0.0/0 source 0.0.0.0/0 permit port any create access-list deny_http_a tcp dest <ip address of vlan a>/32 ip-port 80 source 0.0.0.0/0 deny port any precedence 10 create access-list deny_http_b tcp dest <ip address of vlan b>/32 ip-port 80 source 0.0.0.0/0 deny port any precedence 20 create access-list deny_http_c tcp dest <ip address of vlan c>32 ip-port 80 source 0.0.0.0/0 deny port any precedence 30

You can also shield your entire network from flood attacks by applying an ACL that denies all http traffic to all hosts inside your network. create access-list deny_rule ip dest 0.0.0.0/0 source 0.0.0.0/0 permit port any create access-list permit_http_server1 tcp dest <ip address of server 1>/32 ip-port 80 source 0.0.0.0/0 permit port any precedence 10 create access-list permit_http_server2 tcp dest <ip address of server 2>/32 ip-port 80 source 0.0.0.0/0 permit port any precedence 20 create access-list deny_http_all tcp dest <your network range> ip-port 80 source 0.0.0.0/0 deny port any precedence 30

If you type in the command show access-list, you will see a list of ACLs and their properties. Also on this list, there is a column that displays the number of hits that the list produced. To activate logging for a specific rule, you can use the command enable <access-

3585 Monroe Street, Santa Clara, CA 95051 Phone (408) 579-2800 Fax (408) 579-3000 www.extremenetworks.com

list name> log. This will create a log message for each time a packet is discarded by the ACL. (NOTE: If you receive a high rate of discarded packets, enabling logging will affect the available CPU bandwidth of the switch which may already be compromised due to the virus related traffic. Please note that the Extreme switch is functioning normally. Packets coming in to addresses not in the hardware table must be routed/ARPed by the CPU. This raises CPU utilization to above normal levels. *For additional information on the Nimda virus, go to the following address:
www.symantec.com/avcenter/venc/data/w32.nimbda.a@mm.html

3585 Monroe Street, Santa Clara, CA 95051 Phone (408) 579-2800 Fax (408) 579-3000 www.extremenetworks.com