Cisco IP Phone TCP Packet Flood Denial of Service Vulnerability

A vulnerability in the TCP packet processing functionality of Cisco IP Phones could allow an unauthenticated, remote attacker to cause the phone to stop responding to incoming calls, drop connected calls, or unexpectedly reload. 

The vulnerability is due to insufficient TCP ingress packet rate limiting. An attacker could exploit this vulnerability by sending a high and sustained rate of crafted TCP traffic to the targeted device. A successful exploit could allow the attacker to impact operations of the phone or cause the phone to reload, leading to a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phone-flood-dos-YnU9EXOv

Security Impact Rating: High

CVE: CVE-2020-3574

Related:

  • No Related Posts

Can we disable telephony ALG (Sip-Helper) for VPN connections?

Question

============

Can we disable ALG (SIP-Helper) for all VPN Sessions?

If possible for specific IP ranges or for AAA Groups?

How can we do this because it is causing phone connections to drop for a specific customer using other vendors for VoIP calls passing through the Gateway VPN.

Answer

=============

Unfortunately, It is not possible to bind the SIP Header drop policy on a VPN Gateway nor to a AAA group.

SIP re-write policies will get evaluated only against SIP protocol type binding points, like a LB VIP of type SIP.

As a possible suggestion path to disable SIP in ADC you could ::

====================

First – find a way to route all your SIP type traffic to a SIP LoadBalance Virtual Server

Second – bind the re-write policy to this LBV. This way, SIP re-write policy will get evaluated against SIP protocol traffic.

Like ::

=====================

add rewrite action Drop_SIP_Helper_Act delete_sip_header SIP-Helper

add rewrite policy Drop_SIP_Helper_Pol “SIP.REQ.HEADER(“SIP-Helper”).EXISTS” Drop_SIP_Helper_Act

This is the only way to disable SIP from ADC standpoint.

You could bind the re-write policy Globally as well, but even so, only SIP Protocol binding points (like SIP LB VIPs) will evaluate the policy.

Related:

  • No Related Posts

SD-WAN QoS – FAQ

2. What type of traffic is allocated by default to different Classes?

In the SD-WAN environment, we think of applications as falling into one of the following three classes:

Real-time –VoIP or VoIP like applications, such as Skype or ICA audio. In general, we refer to voice only applications that use small UDP packets that are business critical

Interactive – This is the broadest category, and refers to any application that has a high degree of user interaction. Some of these applications, for example video conferencing, is sensitive to latency, and requires high bandwidth. Other applications like HTTPS, may need less bandwidth, but are critical to the business. Interactive applications are typically transactional is nature.

Bulk – This is any application that does not need rich user experience but is more about moving data (i.e. FTP or backup/replication)

3. How real-time class works vs interactive:

Real-time (RT) classes are given the highest priority and gets up to 50% of the overall scheduler time. Each class can be weighted with respect to the other RT classes, for example, we could have two RT classes one that weighted to 70% and the other to 30%.

Interactive (INT) classes take the next priority and can consume the rest of the scheduler time as the traffic demands. Individual INT classes can be weighted and by default we have 4 weights (high, medium, low and very low) defined.

4. Will bulk suffer if interactive and real-time flows are there?

Yes, Bulk traffic is serviced after real-time and interactive traffic are serviced. Typically, a bulk class gets a lower sustained share % than an interactive class.

5. How QoS classes are prioritized?

Real-time (RT) classes are given the highest priority and gets up to 50% of the overall scheduler time. Each class can be weighted with respect to the other RT classes, for example, we could have two RT classes one that weighted to 70% and the other to 30%.

Interactive (INT) classes take the next priority and can consume the rest of the scheduler time as the traffic demands. Individual INT classes can be weighted and by default we have 4 weights (high, medium, low and very low) defined.

Bulk (BLK) classes takes the lowest priority and can be considered scavenge classes. They can be weighted but they can be completely starved of bandwidth if the INT/RT traffic is consuming all of the scheduler time.

6. What is the purpose of “Retransmit Lost Packets” option under WAN General, IP Rules?

If the receiving SD-WAN appliance detects a missing packet it can request that packet to be resent by the sending SD-WAN appliance.

7. What is the Criteria for the QoS calculation?

QoS is always calculated on the Send Side.

The Fair Share calculation for the services is based on Per Wan Link.

8. What is Duel Ended QoS?

The Receive side sends the Control Packets to advertise the available bandwidth before the actual Data transfer is initiated.

9. How is share provided during contention?

Please refer this article: https://support.citrix.com/article/CTX256716

10. Difference between the Drop Limit and Drop Depth:

Drop Limit: If the Estimated exceeds the threshold, the packet will be discarded. Not valid for Bulk Classes

Drop Depth (Send Buffer): The Max amount of estimated time that packets smaller than the large packet size will have to wait in the class scheduler. If the queue depth exceeds the threshold, the packet will be discarded and the statistics will be counted.



11. How Drop Limit is calculated (MS)?

Number of bytes Queued divided by Bandwidth available for the class.

12. What are transmit modes based on?

•Persistent path – Based on the latency. If there’s a latency >50mS then there will be a penalty on that path and a new path will be chosen.

•Load Balanced Path– Based on the packet Loss.

•Duplicate paths: Packets will be duplicated over the WAN links.

13. What is MOS (Mean opinion Score) under rule groups?

This Feature gathers application statistics from WAN to LAN side of the Virtual path. It Measure of the quality of the experience that an application delivers to end users. It is primarily used for VoIP applications. In SD-WAN, MOS is also used to assess the quality of non-VoIP applications.

14. What is Application QoS and how to implement it?

By default on the SD-WAN, we have pre-defined Application Family based on the type of the application in the incoming Traffic. For Example: Anti-Virus, Microsoft Office, etc…

It is also possible to create Custom application object.

15. QoS Fairness (RED):

Please refer to this Document:

https://docs.citrix.com/en-us/netscaler-sd-wan/10/quality-of-service/qos-fairness.htm

16. Do we have an option to enable Auto Bandwidth provisioning?

Yes, from SD-WAN Version 10.2.x we have an option under Site —> Wan Links —> Provisioning to enable Auto-Bandwidth Provisioning.

17. What is Auto-Bandwidth Provisioning?

When enabled, the shares for all services defined in the Provisioning section will be auto calculated and applied according to the size of Bandwidth that may be required for the remote sites.

18. How to diagnose if an issue is with SD-WAN or not with respect to QoS?

Based on Multiple factors:

Related:

  • No Related Posts

How Microsoft Service Witness Protocol Works in OneFS

The Service Witness Protocol (SWP) remote procedure call (RPC)-based protocol. In a highly available cluster environment, the Service Witness Protocol (SWP) is used to monitor the resource states like servers and NICs, and proactively notify registered clients once the monitored resource states changed.

This blog will talk about how SWP is implemented on OneFS.

In OneFS, SWP is used to notify SMB clients when a node is down/rebooted or NICs are unavailable. So the Witness server in OneFS need to monitor the states of nodes/NICs and the assignment of IP addresses to the interfaces of each pool. These information is provided by SmartConnect/FlexNet and OneFS Group Management Protocol (GMP).

The OneFS GMP is used to create and maintain a group of synchronized nodes. GMP distributes a variety of state information about nodes and drives, from identifiers to usage statistics. So that Witness service can get the states of nodes from the notification of GMP.

As for the information of IP addresses in each pool, SmartConnect/Flexnet provides the following information to support SWP protocol in OneFS:

  1. Locate Flexnet IP Pool given a pool member’s IP Address. Witness server can be aware of the IP pool it belongs to and get the other pool members’ info through a given IP address.
  2. Get SmartConnect Zone name and alias names through a Flexnet IP pool obtained in last step.
  3. Witness can subscribe to changes to the Flexnet IP Pool when the following changes occur:
    • Witness will be notified when an IP address is added to an active pool member or removed from a pool member.
    • Witness will be notified when a NIC goes from DOWN to UP or goes from UP to Down. So that the Witness will know whether an interface is available.
    • Witness will be notified when an IP address is moved from one interface to another.
    • Witness will be notified when an IP address will be removed from the pool or will be moved from one interface to another initiated by an admin or a re-balance process.

The figure below shows the process of Witness selection and after failover occurs.

Drawing1.jpg

  1. SMB CA supported client connect to a OneFS cluster SMB CA share through the SmartConnect FQDN in Node 1.
  2. The client find the CA is enabled, start the Witness register process by sending a GetInterfaceList request to Node 1.
  3. Node 1 returns a list of available Witness interface IP addresses to which the client can connect.
  4. The client select anyone interface IP address from the list (in this example is Node 2 which is selected as the Witness server). Then the client will send a RegisterEx request to Node 2, but this request will failed as OneFS does not this operation. RegisterEx is a new operation introduced in SWP version 2. OneFS only support SWP version 1.
  5. The client send a Register request to node 2 to register for resource state change notification of NetName and IPAddress (In this example, the NetName is the SmartConnect FQDN and IPAddress is the IP of Node 1)
  6. The Witness server (Node 2) process the request and returns a context handle that identifies the client on the server.
  7. The client sends an AsyncNotify request to Node 2 to receive asynchronous notification of the cluster nodes/nodes interfaces states changes.
  8. Assume Node 1 does down unexpectedly. Now, the Witness server Node 2 is aware of the Node 1 broken and sends an AsyncNotify response to notify the client about the server states is down.
  9. The SMB CA feature forces the client to reconnect to OneFS cluster using the SmartConnect FQDN. In this example, the SMB CA successfully failover to Node 3.
  10. The client sends a context handle in an UnRegister request to unregister for notifications from Witness server Node 2.
  11. The Winess server processes the requests by removing the entry and no longer notifies the client about the resource state changes.
  12. Step 12-17. The client starts the register process similar to step 2-7.

Related:

Smarts VOIP: IPPhones Registration Status changes from “REGISTERED” to “UNKNOWN” post device discovery

Article Number: 502582Article Version: 3 Article Type: Break Fix



Smarts VoIP Availability Manager 9.4.2

The RegistrationStatus of IPPhones in VOIP domain shows to be “REGISTERED” once the discovery is completed successfully. However, in the subsequent polling cycles the RegistrationStatus of the same IPPhone is polled to be “UNKNOWN”.

Smarts uses CallManager Hostname in the soap query while discovering CUCM’s but for subsequent polling of the device, Smarts uses IP address of the CallManager instead to check it’s status.

This causes the CUCM to be discovered successfully with RegistrationStatus as REGISTERED at first but later on to be shown “UNKNOWN” as some users have their CUCM configured to be recognized by hostnames only or can have a NAT configured environment.

Smarts to use CUCM Hostnames consistently throughout VOIP Data processing.

This issue is recognized as a bug and code fix is included as part of Smarts VOIP 9.4.2 patch 12. Please contact Dell EMC Technical Support for further assistance with this KB reference if the above detailed scenario is seen in your environment and fix is required before patch release.

.p

Related:

NetScaler Double Hop Communication Flow with StoreFront

Logon Process

User-added image

First NetScaler Gateway packet flow ( Second NetScaler will not come into picture till the apps are enumerated)

1. The user starts his browser and connects (via hostname) to the external IP address of the NetScaler Gateway FQDN of the first hop. The NSG will authenticate and sends it to the StoreFront

2. The StoreFront in the second DMZ receives the request

3. StoreFront will validate the user based on his credentials

4. The StoreFront on the second DMZ sends the credentials to a server on the internal network hosting the XML service.

5. The XML Service authenticates the user and receives a list of published applications the user has access to. This list will be send back to the StoreFront.

6. The StoreFront will generates a page with the “published apps” and sends the page through the NetScaler in first DMZ back to the user

User-added image

Starting Process

User-added image

1. The user clicks his application and the request will be forwarded to the StoreFront

2. The SF again contacts the XML service to determine which XenApp server will handle the request. The XML service returns the IP number.

3. The SF then contacts the Secure Ticketing Authority (STA) to switch the IP address for a Session Ticket. The STA saves the IP address and sends a session ticket to the SF. (The XML and STA server don’t have to be the same server)

4. The SF generates an ICA file with the STA session ticket and the FQDN of the NSG in the first DMZ. This ICA file is send back to the user through the NSG in the first DMZ. As you see the application I clicked was Mozilla Firefox and the FQDN is of the first hop

User-added image
5. The plugin on the machine of the user reads the ICA file and initiates an ICA connection with the session ticket to the first hop NS in the first DMZ.

6. The NS in the first DMZ sends the Session Ticket through the NS in the second DMZ to the STA for validation. As you can notice below that the First NS sent the same ticket to the 10.104.23.83 which is the ip of the second hop NS and notice that the request has the Host header of 10.104.23.149 which is the STA server, Based on this host header the second hop will understand that I need to send the request to this STA server ( since second hop doesn’t have any STA configuration)

User-added image
7. The STA validates the ticket and sends the IP address of the XenApp server to the NS in the first DMZ.

You can see that packet 36455 is the same decrypted packet send by first NS is received on this NS and this Second NS made a request to the original STA server 10.104.23.149 in the next packet 36456

User-added image

In the Next packet on the same second hop you can notice that a response is received from the STA server that the Xenapp server is 10.104.23.149 on port 1494. And the same request is forwarded to the first hop NS in the next packet 36461 ( Remember in my lab both the Xenapp server and STA are same and that’s why we are seeing the same ip 10.104.23.149)

User-added image
8. The NS in the first DMZ establishes an ICA connection to the IP address of the XenApp server, These connection will be sent/Proxied to the Second Hop NS and the first hop NS will not try to make connection to xenapp directly. As we can see the first hop DMZ proxied all ICA connection to the second hop 10.104.23.83 and the second hop NS will forward the ICA traffic to the actual xenapp servers.

In the below trace taken on Second Hop you can notice in Green color that the traffic is coming to this hop 10.104.23.83 and this NS is actually making connection to the actual xenapp server 10.104.23.149 as shown in Pink color

User-added image
9. The XenApp server sends an acknowledgement back to the Second Hop NS ( acting as proxy) which will be sent to the first ho NS . Then the SSL/TLS handshake between the CAG in the first DMZ and the XenApp client will be completed. The ICA session is established and all traffic will flow

Related:

CEM Enabled Agent questions

I need a solution

Hello World!

Getting ready to enable CEM with ITMS 8.1 and I’m a little confused about something…

When an agent is at home/coffee shop/etc. and is CEM enabled, does the packages download happen directly from site server (after authenticating and establishing a handshake via the Internet Gateway) via HTTPS or does the agent make the hand shake and the gateway is the middle man for the downloads?

Here’s the scenario I’m looking at:

We have 3 major regions and would like to have 3 dedicated site servers for each region, but we are not sure if the speed test to the site servers (listed in the Internet Gateway app) will occur from the Symantec agent or from the gateway.  From my understanding, it should happen from the Symantec agent.  For example, if I have 3 CEM site server (one in the US, one in Europe, and one in Asia) and have a CEM enabled endpoint in Brazil, it should do a speed test and connect to the site server in the US, correct?!

All answers will be greatly appreciated!

0

Related:

  • No Related Posts

Re: How does SmartConnect DNS work? And SIP details?

Trying to do some research related to SmartConnect. I understand the majority of how it works, however I have a question pertaining to the traffic flow. I’ll try and lay this out, I’m more so looking as to how the communication flows.

All devices below are segmented via firewall:

Laptop1 (10.2.26.50)

DNSserver1 (10.1.9.200)

IsilonNAS1 SIP (10.1.8.200)

Is this correct?

Laptop1 makes a content request sitting on the IsilonNAS1, DNS request goes from Laprop1 to DNSserver1, then DNSserver1 makes a request to IsilonNAS1, all over DNS53. Does the Laptop1 ever make DNS queries directly at IsilonNAS1?

Is the SIP the same as the management IP address of the cluster? Can the SIP reside on a different network than the management network?

Related: