CCIE Security V4 Technology Labs Section 1:

System Hardening and Availability

Transit Traffic Control with Flexible Packet
Matching
Last updated: May 10, 2013
Task
Load the configuration files for this task.
Configure deep packet inspection on R3 to match a custom pattern attack known as the
W32.Blaster Worm. Use the following match criteria:
UDP Protocol port 69
IP packet length exceeding 402 bytes
Pattern match 0x20a29010 at 50 bytes from start of IP header, to match on 4 bytes
You should not need to configure an ACL to complete this task.
Assume that the attack is coming from the direction of R1.
Explanation and Verification
Flexible Packet Matching is a feature that allows for granular packet inspection in Cisco IOS
routers. Using FPM, you can match any string, byte, or even bit at any position in the IP (or
theoretically non-IP) packet. This may greatly aid in identifying and blocking network attacks using
static patterns found in the attack traffic. Having a working understanding of the Wireshark
application will assist you in determining which patterns to match with the traffic in question. The
configuration is commanded using the C3PL method. Prior to configuring the policy, you must load
the Protocol Header Data File (PHDF). This is necessary because without it, the router can't
interpret where it is looking in a header. When the PHDF is loaded, you can proceed to configure
the class-maps, policy-maps, and service policies as required. Note that in the following solution,
an Access-list is not used, according to the requirements of this task.
R3:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#load protocol system:fpm/phdf/ip.phdf
R3(config)#load protocol system:fpm/phdf/udp.phdf
R3(config)#
R3(config)#class-map type access-control match-all TASK1.16
R3(config-cmap)#match field UDP dest-port eq 0x45
R3(config-cmap)#match field IP length gt 0x192
R3(config-cmap)#match start l3-start offset 50 size 4 eq 0x20A29010
R3(config-cmap)#
R3(config-cmap)#class-map type stack match-all UDP
R3(config-cmap)#match field IP protocol eq 0x11 next UDP
R3(config-cmap)#
R3(config-cmap)#policy-map type access-control W32-Blaster-Block
R3(config-pmap)#description RW32.Blaster Worm Attack Policy Task 1.16S
R3(config-pmap)#class TASK1.16
R3(config-pmap-c)#drop
R3(config-pmap-c)#
R3(config-pmap-c)#policy-map type access-control TASK1.16-POLICY
R3(config-pmap)#class UDP
R3(config-pmap-c)#service-policy W32-Blaster-Block
R3(config-pmap-c)#
R3(config-pmap-c)#
R3(config-pmap-c)#
Now you can apply the configuration to the interface facing R1.
R3(config)#int f0/0.13
R3(config-subif)#service-policy type access-control input TASK1.16-POLICY
R3(config-subif)#end
R3#
Verify the configuration.
R3#show policy-map type access-control interface f0/0.13
FastEthernet0/0.13
Service-policy access-control input: TASK1.16-POLICY
Class-map: UDP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: field IP protocol eq 0x11 next UDP
Service-policy access-control : W32-Blaster-Block
Class-map: TASK1.16 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: field UDP dest-port eq 0x45
Match: field IP length gt 0x192
Match: start l3-start offset 50 size 4 eq 0x20A29010
drop
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Class-map: class-default (match-any)
5 packets, 450 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R3#
Recommended Reading
FPM on the INE Blog (http://blog.ine.com/2009/06/14/understanding-flexible-packet-matching/)