Scribd Logo
Upload

Welcome to Scribd!

  • Cisco WCCP Attacks Prevention - April 16 2008

    Uploaded by

    Sami Wehbi
    184 views7 pages
    Cisco WCCP Security, prevention, attack lab

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cisco WCCP Security, prevention, attack lab

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    184 views7 pages

    Cisco WCCP Attacks Prevention - April 16 2008

    Uploaded by

    Sami Wehbi
    Cisco WCCP Security, prevention, attack lab

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Cisco WCCP Attacks Prevention

    Sami Wehbi (CCNA, CCNA VOICE, CCNP, MCP)


    To Contact Me: ukayoo@yahoo.com
    Web Page: http://www.geocities.com/ukayoo

    April 16 2008
    Most of WCCP v1 v2 attacks are caused by misconfiguration, because most
    administrators configure devices just to work in production not taking in to
    consideration Security measures and best practices.

    To perform these attacks in real lab environment you need:

    - Use a Linux distribution you prefer. (My preference Fedora or Gentoo)


    - Knowledge in installing and configuring a squid proxy cache server
    - Configuring a GRE tunnel on Linux
    - using dsniff tools or a sniffer of your choice
    - You Can Use FreeBSD for all the Above
    First of all we will have an overview about WCCP

    How WCCP works

    Here's an example of how WCCP works:

    • A Web browser makes a request, which goes to a router.


    • The router intercepts the request.
    • The router redirects the request to a new location inside a generic routing
    encapsulation (GRE) frame to prevent any modifications to the original packet.
    • The new device -- typically a Web appliance of some type -- can choose to
    masquerade as the real server or send it somewhere else. Assuming it accepts the
    packet, the new device can provide a response.

    The benefit to using WCCP is that we assume the appliance provides services that the
    router does not -- for example, Web content filtering, caching, logging, security, or
    authentication. I've seen WCCP used with Squid proxy servers, Blue Coat Web caching
    and content filtering appliances, and Cisco content caching engines.

    The benefit to transparently routing traffic to a Web appliance is that you don't have to
    make any changes to your Web browsers (and you don't have to configure a proxy
    server). In addition, Web caching appliances offer these benefits:

    • They lower response times for Web requests.


    • They optimize bandwidth utilization of the Internet circuit.
    • They log Web requests and report on them.
    • They filter requested content.

    Not surprisingly, WCCPv2 offers a number of features that WCCPv1 does not. WCCPv2
    supports protocols other than HTTP, multiple routers, MD5 security, and load
    distribution.

    With WCCP, you can use a "cache cluster" for load balancing, scaling, and fault
    tolerance. You can also use Hot Standby Router Protocol (HSRP) with your routers to
    provide redundancy for your WCCP routers (1)
    Attack Vectors

    • Open Proxy

    - You should configure your cache properly; most cache engines contain some type
    of access control similar to acl lists on a squid cache server.
    - You should configure these access lists properly allowing only your network to
    use the cache engine, not relaying external requests or other protocols (ex: SMTP)
    through your cache.

    The Web is full of them (2)


    http://www.samair.ru/proxy
    http://www.xroxy.com/proxylist.htm

    • Cache Engine attacks

    Cisco misconfiguration:

    -WCCP configuration commands on the router


    - The Redirect List used for permitting/denying traffic to the cache engine.

    Cache engine misconfiguration:

    - Relying on the redirect list on the router for access control, thus if the
    Redirect list is poorly configured could cause an open proxy.

    Most people configure it this way on Cisco routers:

    Globally:

    #ip wccp web-cache redirect-list www

    Internet interface:

    #ip wccp web-cache redirect out

    The previous commands enable WCCP on the router and use an access-list called www
    (3) Permitting or denying requests to the cache engine based on source and destination.
    An Attacker Could:

    1- Port scans the router he intends to attack on its UDP ports to gather information

    2-Can configure a Linux box as a squid proxy cache that supports wccp v1 – v2

    3-Configure a GRE tunnel and initiate WCCP v1 or v2 depending on what the


    router is configured with. (GRE in dynamic and automatic on the router side)

    4-WCCP load balances between cache engines, on squid he can increase his cache
    engines priority so that he would get a greater percentage of the overall http
    requests from the network he is attacking.

    5- Once the router starts redirecting requests to the attacker’s cache engine
    Imagine what the attacker could do …

    1 - Nmap -sU -p 2048 192.168.0.1 192.168.0.100

    2- Search the Web for that, plenty of articles on how to configure Squid/WCCP on
    Linux or FreeBSD (4)

    3- Search the web!!! (5)

    4 – In your squid configuration you can add this for the priority option(6):

    Default: 10000
    wccp2_weight 15000

    Some Notes:

    - WCCP: Web cache communication protocol – Created by Cisco


    - listens on port 2048/UDP (WCCP)
    - Does not define a source port; it is likely to be 2048.
    - Router uses the highest loop back interface IP address as a router identifier for wccp
    If a loop back interface is configured
    - Squid WCCP currently supports one router, can’t be configured as a cache engine for
    Multiple routers.
    Mostly these attacks can be stopped by correctly configuring both the
    Cache engine and router,

    - Correctly configuring wccp on the router, adding the group-list parameter to the wccp
    Global configuration command which controls which cache engines are used by the
    Router

    - Block ports used by WCCP were they are not needed using ACL

    - Configure Access-control using the router redirect-list with logging to see any failed
    Attempts

    - Configure the cache engine with its access control mechanism if it supports any

    - Route the GRE tunnel traffic securely through your network if possible, or connect
    The router and cache engine back to back, eliminating internal intruders from
    intercepting, gathering information and data.

    Sami Wehbi (CCNA, CCNA VOICE, CCNP, MCP)


    To Contact Me: ukayoo@yahoo.com
    Web Page: http://www.geocities.com/ukayoo

    April 16 2008
    (1) This definition was taken from the tech republic
    http://articles.techrepublic.com.com/5100-1035_11-6175637.html

    http://www.colasoft.com/resources/protocol.php?id=WCCP

    (2) Open Proxy


    http://en.wikipedia.org/wiki/Open_proxy

    (3) For further configuration and options you can check out:
    http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/wccp.html

    (4) For further configuration and options you can check out:
    http://wiki.squid-cache.org/ConfigExamples/

    (5) For further configuration and options you can check out:
    http://lartc.org/

    (6) For further configuration and options you can check out:
    http://www.visolve.com/squid/squid26/miscellaneous.php#wccp2_weight

    Sami Wehbi (CCNA, CCNA VOICE, CCNP, MCP)


    To Contact Me: ukayoo@yahoo.com
    Web Page: http://www.geocities.com/ukayoo

    April 16 2008

    You might also like