Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls
Advertisements

How to disable SIP ALG

SOURCE:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG

Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.

CheckPoint
login to Smart Dashboard
click Smart Defence tab
expand Application Intelligence
expand VoIP
disable all features on H.323

Cisco
(config)# no ip nat service sip tcp port 5060
(config)# no ip nat service sip udp port 5060

ASA
(config)# policy-map global_policy
(config)# no inspect sip

Cyberoam
> cyberoam system_modules sip unload

D-Link
Open a browser and enter the router’s IP address in the address bar. Go to “Firewall Settings” under the “Advanced” item.
Uncheck the box to disable SPI – usually, directly below this item are options for “NAT Endpoint Filtering” that must be changed to “Endpoint Independent” for both TCP and UDP.
Next, find the “Application Level Gateway (ALG) Configuration” area and uncheck the box for SIP.
Save these settings and reboot the device if requested

FortiGate
disable SIP ALG
# config system settings
# set sip-helper disable
# set sip-nat-trace disable
# end
verify
# show full-configuration system settings
delete sip
# config system session-helper
(session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
(session-helper) # delete 13
(session-helper) # end

Juniper
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7078&actp=search
# set security alg sip disable
# commit and quit

Mikrotik
> ip firewall service-port set sip disabled=yes

Netgear
From Wan Setup Menu, NAT Filtering, uncheck the box next to “Disable SIP ALG”

PaloAlto
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Disable-SIP-ALG/ta-p/60637
# set shared alg-override application sip alg-disabled yes

Peplink
go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the “Disable” button under “SIP ALG Support”

SonicWall
in GUI, go to VOIP>Settings>General Settings
tick Enable consistent NAT
untick Enable SIP Transformations

SpeedTouch
telnet router
> connection unbind application=SIP port=5060
> saveall

Zyxel
telnet router
Menu option “24. System Maintenance”.
Menu option “8. Command Interpreter Mode”.
ip nat service sip active 0

PaloAlto UNL Basic config

20160809 22.09.jpg

NOTE:
-make sure all nics in UNL vm using vmxnet3 and not e1000
-I feel PA6.1 is more stable than PA7.0.1
-I don’t have URL Filtering license, so I can’t test blocking website

-set PA mgmt nic ip to 192.168.1.1
> configure
# set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.0
# commit

PC1:
MGMT NIC
   ip 192.168.1.10/24
LAN NIC
   ip 10.0.0.10/24
   gw 10.0.0.1
-open PC1 browser and go to https://192.168.1.1
L: admin
P: admin

set Device/Management section
Image.png

-set Service Route Configuration
Image.png

-set Network/Network Profiles/Interface Mgmt
Image.png

-set Network/Zones
Image.png

-set Network/Interfaces
Image.png

-set Network/DHCP

Image.png

-set Objects/Addresses

Image.png

-set Policies/Security

Image.png

-set Policies/NAT

14cf68d6570787bcc52ed77bbd863a68

-click Commit
-click Save
Now you can test whether you can surfing from PC1

Blocking Browsec Chrome Extension

Browsec is VPN extension similar to ZenMate

CheckPoint:
Image.png

Cisco ASA:

Cyberoam:

Fortigate:

Juniper:

Mikrotik:

/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=browsec regexp=”^.+(postls.com).*\$”
/ip firewall filter

add action=drop chain=forward layer7-protocol=browsec src-address-list=LAN

PaloAlto:

SonicWall:

Blocking Telegram

Telegram is like WhatsApp that can be downloaded here

https://telegram.org

CheckPoint:
Image.png

Cisco ASA:

interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 12.12.12.1 255.255.255.0
clock timezone gmt 7
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object network PAT
 subnet 12.12.12.0 255.255.255.0
object network telegram1
 subnet 91.108.4.0 255.255.252.0
object network telegram2
 subnet 91.108.56.0 255.255.252.0
object network telegram3
 subnet 149.154.160.0 255.255.252.0
object network telegram4
 subnet 149.154.164.0 255.255.252.0
object network telegram5
 subnet 149.154.168.0 255.255.252.0
object network telegram6
 subnet 149.154.172.0 255.255.252.0
object-group network objgrp-telegram
 network-object object telegram1
 network-object object telegram2
 network-object object telegram3
 network-object object telegram4
 network-object object telegram5
 network-object object telegram6
access-list LAN extended permit ip any any
access-list acl-telegram extended deny ip any object-group objgrp-telegram
access-list ping extended permit icmp any interface outside
access-list ping extended permit icmp any interface inside
access-list outside_access_out extended deny ip any object-group objgrp-telegram
access-list outside_access_out extended permit ip any any
object network PAT
 nat (inside,outside) dynamic interface
access-group outside_access_out out interface outside
access-group LAN in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.10.1 1
user-identity default-domain LOCAL
http server enable
http 10.0.10.0 255.255.255.0 outside
http 12.12.12.0 255.255.255.0 inside
ntp server 180.211.88.211
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error

 

FortiGate:
config system interface
    edit “port1”
        set vdom “root”
        set mode dhcp
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit “port2”
        set vdom “root”
        set ip 12.12.12.1 255.255.255.0
        set allowaccess ping https ssh fgfm
        set type physical
        set snmp-index 2
    next
end
config firewall policy
    edit 1
        set name “PAT”
        set uuid 170d4c60-0d49-51e6-102b-cc84e02a9dfb
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
    edit 2
        set name “telegram”
        set uuid 0b2d9320-0d5b-51e6-ce90-307685813f39
        set srcintf “port2”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “telegramgroup”
        set schedule “always”
        set service “HTTP” “HTTPS”
        set logtraffic all
    next
end
config firewall address
    edit “telegram”
        set uuid 532c2ac0-0d5a-51e6-754f-62c1c2f11af6
        set subnet 91.108.4.0 255.255.252.0
    next
    edit “telegram2”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 91.108.56.0 255.255.252.0
    next
    edit “telegram3”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.160.0 255.255.252.0
    next
    edit “telegram4”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.164.0 255.255.252.0
    next
    edit “telegram5”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.168.0 255.255.252.0
    next
    edit “telegram6”
        set uuid a0149520-0d5a-51e6-b083-9fda96570787
        set subnet 149.154.172.0 255.255.252.0
    next
end
config firewall addrgrp
    edit “telegramgroup”
        set uuid 72081cc0-0d5e-51e6-f4e3-e05511d7c552
        set member “telegram” “telegram2” “telegram3” “telegram4” “telegram5” “telegram6”
    next

end

Juniper:

# show
version 12.1X46-D10.2;
system {
    host-name SRX1;
    root-authentication {
        encrypted-password “$1$htJmWkYL$Dij6D2dwMvBOvSm64mJVt0”; ## SECRET-DATA
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input BLOCK-TELEGRAM;
                }
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 12.12.12.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.0.10.1;
    }
}
policy-options {
    prefix-list ADDRESSLIST-TELEGRAM {
        91.108.4.0/22;
        91.108.56.0/22;
        149.154.160.0/22;
        149.154.164.0/22;
        149.154.168.0/22;
        149.154.172.0/22;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: ‘queue-size’ is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set PAT {
                from zone trust;
                to zone untrust;
                rule PAT {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    filter BLOCK-TELEGRAM {
        term LIST-TELEGRAM {
            from {
                source-prefix-list {
                    ADDRESSLIST-TELEGRAM;
                }
            }
            then {
                discard;
            }
        }
        term ALLOW-REST {
            then accept;
        }
    }
}

 

Mikrotik:
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
add address=149.154.160.0/22 list=telegram
add address=149.154.164.0 /22 list=telegram
add address=149.154.168.0 /22 list=telegram
add address=149.154.172.0 /22 list=telegram
add address=91.108.4.0/22 list=telegram
add address=91.108.56.0/22 list=telegram
/ip firewall filter
add action=drop chain=forward dst-address-list=telegram src-address-list=LAN

PaloAlto:

SonicWall:

Blocking ZenMate

CheckPoint:
Image.png

Cisco ASA:

(config)# object-group network zenmate
(config)# network-object host 78.137.98.120
(config)# network-object host 78.137.98.123
(config)# network-object host 162.159.244.96
(config)# network-object host 162.159.245.96
(config)# network-object host 207.244.77.22
(config)# network-object host 103.10.197.146
(config)# network-object host 46.165.220.211
(config)# network-object host 81.17.26.242
(config)# network-object host 149.3.140.250

(config)# access-list acl-inside extended deny ip any object-group zenmate

Cyberoam:

FortiGate:

Juniper:

Mikrotik:
# export
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=zenmate regexp=”^.+(zenguard.biz|zenmate.io|zenguard.zendesk.com|zendesk.com|zenguard.org).*\$”
/ip firewall filter

add action=drop chain=forward disabled=yes layer7-protocol=zenmate src-address-list=LAN

PaloAlto:

SonicWall: