Professional Documents
Culture Documents
April 16 2008
Most of WCCP v1 v2 attacks are caused by misconfiguration, because most
administrators configure devices just to work in production not taking in to
consideration Security measures and best practices.
The benefit to using WCCP is that we assume the appliance provides services that the
router does not -- for example, Web content filtering, caching, logging, security, or
authentication. I've seen WCCP used with Squid proxy servers, Blue Coat Web caching
and content filtering appliances, and Cisco content caching engines.
The benefit to transparently routing traffic to a Web appliance is that you don't have to
make any changes to your Web browsers (and you don't have to configure a proxy
server). In addition, Web caching appliances offer these benefits:
Not surprisingly, WCCPv2 offers a number of features that WCCPv1 does not. WCCPv2
supports protocols other than HTTP, multiple routers, MD5 security, and load
distribution.
With WCCP, you can use a "cache cluster" for load balancing, scaling, and fault
tolerance. You can also use Hot Standby Router Protocol (HSRP) with your routers to
provide redundancy for your WCCP routers (1)
Attack Vectors
• Open Proxy
- You should configure your cache properly; most cache engines contain some type
of access control similar to acl lists on a squid cache server.
- You should configure these access lists properly allowing only your network to
use the cache engine, not relaying external requests or other protocols (ex: SMTP)
through your cache.
Cisco misconfiguration:
- Relying on the redirect list on the router for access control, thus if the
Redirect list is poorly configured could cause an open proxy.
Globally:
Internet interface:
The previous commands enable WCCP on the router and use an access-list called www
(3) Permitting or denying requests to the cache engine based on source and destination.
An Attacker Could:
1- Port scans the router he intends to attack on its UDP ports to gather information
2-Can configure a Linux box as a squid proxy cache that supports wccp v1 – v2
4-WCCP load balances between cache engines, on squid he can increase his cache
engines priority so that he would get a greater percentage of the overall http
requests from the network he is attacking.
5- Once the router starts redirecting requests to the attacker’s cache engine
Imagine what the attacker could do …
2- Search the Web for that, plenty of articles on how to configure Squid/WCCP on
Linux or FreeBSD (4)
4 – In your squid configuration you can add this for the priority option(6):
Default: 10000
wccp2_weight 15000
Some Notes:
- Correctly configuring wccp on the router, adding the group-list parameter to the wccp
Global configuration command which controls which cache engines are used by the
Router
- Block ports used by WCCP were they are not needed using ACL
- Configure Access-control using the router redirect-list with logging to see any failed
Attempts
- Configure the cache engine with its access control mechanism if it supports any
- Route the GRE tunnel traffic securely through your network if possible, or connect
The router and cache engine back to back, eliminating internal intruders from
intercepting, gathering information and data.
April 16 2008
(1) This definition was taken from the tech republic
http://articles.techrepublic.com.com/5100-1035_11-6175637.html
http://www.colasoft.com/resources/protocol.php?id=WCCP
(3) For further configuration and options you can check out:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/wccp.html
(4) For further configuration and options you can check out:
http://wiki.squid-cache.org/ConfigExamples/
(5) For further configuration and options you can check out:
http://lartc.org/
(6) For further configuration and options you can check out:
http://www.visolve.com/squid/squid26/miscellaneous.php#wccp2_weight
April 16 2008