Nortel Networks 5510, 5520, 5530 10.3 DoS

Filters and QoS Configuration for ERS 5500

Technical Configuration Guide v2.0 NN48500-559

___________________________________________________________________________________________________________________________

External Distribution

Based on the diagram above, enter the following commands to enable DHCP Snooping

• 5530-24TFD(config)#interface fastEthernet all

• 5530-24TFD(config-if)#qos dhcp spoofing port 2-10 dhcp-server 172.30.30.50

10.3 DoS

The following command is used to enable the various DoS QoS App lications

• 5530-24TFD(config)#interface fastEthernet all

• 5530-24TFD(config-if)#qos dos <nachia|sqlslam|tcp-dnsport|tcp-ftpport|tcp-

synfinscan|xmas> port <port #> enable

SQLSlam

The worm targeting SQL Server computers is a self-propagating, m alicious code that exploits a

vulnerability that allows for the execution of arbitrary code on t he SQL Server computer due to a

stack buffer overflow. Once the worm compromises a machine it will tr y to propagate itself by

crafting packets of 376 bytes and send them to randomly chosen IP addresses on UDP p or t 14 34.

If the packet is sent to a vulnerable machine, this victim machine will become infected and will

also begin to propagate. Beyond the scanning activity for new hosts, the c urrent variant of this

worm has no Configuring Quality of Service and IP Filtering for Nortel Ethernet Routing Switch

5500 Series, Software Release 4.2 other payload. Activity of this worm is readily identifiable on a

network by the presence of 376 byte UDP packets. These packets will appe ar to be originating

from seemingly random IP addresses and destined for UDP port 1434.

When enabled, the DoS SQLSlam QoS Application will drop UD P traffic whose destination port is

1434 with the byte pattern of 0x040101010101 starting at byte 47 of a tagged p acket.

Nachia

The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms that sprea d using the RPC

DCOM vulnerability in a similar fashion to the W32/Blaster-A worm . Both rely upon two

vulnerabilities in Microsoft's software.

When enabled, the DoS Nachia QoS Application will drop ICMP tr affic with the byte pattern of

0xaaaaaa) starting at byte 48 of a tagged packet.

Xmas

Xmas is a DoS attack that sends TCP packets with all TCP flags set in the same packet; which is

illegal. When enabled, the DoS Xmas QoS Application will drop TCP tr affic with the URG:PSH

TCP flags set.TCP

SynFinScan

TCP SynFinScan is a DoS attack that sends both a TCP SYN and FIN in the s ame packet; which

is illegal. When enabled, the TCP SynFinScan QoS Application wil l drop TCP traffic with the

SYN:FIN TCP flags set.

TCP FtpPort

A TCP FtpPort attack is identified by TCP packets with a source por t of 20 and a destination port

less than 1024; which is illegal. A legal FTP request would ha ve been initiated with a TCP port

greater than 1024. When enabled, the TCP FtpPort QoS Application will drop TCP traffic with the

TCP SYN flag set and a source port of 20 with a destination port less than or equ al to 1024.

TCP DnsPort

The TCP DnsPort QoS Application is similar to the TCP FtpPort application but for DNS port 53.

When enabled, this application will drop TCP traffic with the T CP SYN flag set and a source port

of 53 with a destination port less than or equal to 1024.BPDU