Zombie Outbreak Prevention or how to kill your network.

Had and interesting call with a client today.  Initially they though that their AIP20 IPS module had died.  In the process they lost almost all communication to the internet.  At first I was afraid that I had not used ips inline fail-open sensor vs0 and that the unit had failed and blocked all traffic.  However once I was on site after I pulled the config it was clear that I had configured it correctly.

Straight from there I pulled the redirect policy to get the IPS out of the mix and bring them back online.  The effect instant bandwidth soared and they were back in business.  Next I took a few minutes to work through what happened with the client.  Come to find out their ISP notified them that they were exhibiting symptoms of being in a bot-net.  When the client did not initially see activity that would validate that on their ASA or in the IPS logs they decided to up the anty and applied the entire Virus/Trojan list of signatures.  Instantly they lost connectivity to their ISP and upstream.  From there I dove into the IPS logs to see what was triggering.  Thousands of entries for the Outbreak Prevention Signature were the only thing we saw.  So from there I dug into the bottom of the Virus/Trojan list and found a Primary Outbreak Prevention Signature and two sub signatures.  Without going super deep into this mess those signatures classify all TCP (SYN,ACK and FIN), UDP and TCP as a high threat.  In the case of this customer and most all high threats are denied inline.

So there ya go how to kill your network in one simple apply command.  Not that there are not hundreds more of those.  But this one is a bit more interesting considering it is not notated or deprecated in the signature list.  As a matter of fact it was designed for a product that Cisco no longer sells or supports, Cisco Incident Control System (ICS). This link details the signature and its purpose a bit more.

Anyway with all that said avoid these signatures unless the zombies get loos in your network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.