From: Brown, Patrick (NSOC-OCF} (PBrown4@chartercom.com)
Date: Wed Aug 13 2003 - 12:53:50 GMT-3
Anytime you have the log option on the ACL, you are process switching
packets. Take the log statment out of the ACL for 135 definitely. I would
take it out for 4444 and 69 also dependant on the platform. This will
definitely hose your box :)
ex:
ip access-list ext cisco-n-microsoft-problem
deny tcp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 593
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
permit ip any any
Thanks,
Patrick B
-----Original Message-----
From: Kurt Kruegel
To: MADMAN; Jung, Jin
Cc: 'George Gittins'; ccielab@groupstudy.com
Sent: 8/13/2003 10:45 AM
Subject: Re: Virus Alert - W32.Blaster.Worm
i used the access-list to try to block it and cpu freaked out
and we had to power cycle
anyone see a problem with this ?
access-list 115 deny tcp any eq 4444 any log
access-list 115 deny tcp any eq 135 any log
access-list 115 deny udp any eq 69 any log
access-list 115 deny icmp any any redirect
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 1.0.0.0 0.255.255.255 any
access-list 115 deny ip 2.0.0.0 0.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
own nets deleted
access-list 115 permit ip any any
----- Original Message -----
From: "MADMAN" <dave@interprise.com>
To: "Jung, Jin" <jin.jung@lmco.com>
Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 11:11 AM
Subject: Re: Virus Alert - W32.Blaster.Worm
> Jung, Jin wrote:
> > Hi Brian,
> > Did you block tcp and udp port 135 ?
> > Does it brake windows netbios?
> >
> > I only blocked 4444 and 69, should I block 135 too?
>
> Yes.
>
> http://www.cert.org/advisories/CA-2003-20.html
>
> Dave
>
> >
> > Thanks...
> >
> > -----Original Message-----
> > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > Sent: Wednesday, August 13, 2003 9:43 AM
> > To: ccielab@groupstudy.com
> > Subject: FW: Virus Alert - W32.Blaster.Worm
> >
> >
> > Why port 135? Can you should a access -list
> >
> > George Gittins
> > Network Maintenance Supervisor
> > ECISD
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Brown, Patrick (NSOC-OCF}
> > Sent: Tuesday, August 12, 2003 7:58 PM
> > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > Subject: RE: Virus Alert - W32.Blaster.Worm
> >
> > Getting about 20,000 hits a second on ACL referencing port 135.
Plus
Arp
> > process is going through the roof until acl is applied.
> >
> > Patrick B
> >
> >
> >
> > -----Original Message-----
> > From: Snow, Tim
> > To: 'ccielab@groupstudy.com'
> > Sent: 8/11/2003 10:14 PM
> > Subject: Virus Alert - W32.Blaster.Worm
> >
> > Anyone else going through the W32.Blaster.Worm?
> >
> >
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > .htm
> > l
> >
> > Big pain in the ....
> >
> > Tim
> >
> >
> > Timothy Snow
> > CCIE #12042
> > EDS - Network Operations
> > MS 3B
> > 1075 W. Entrance Drive
> > Auburn Hills, MI 48326
> >
> > * phone: +01-248-754-7900
> > * mailto:timothy.snow@eds.com
> > pager: 888-351-4584
> > www.eds.com
> >
> >
> >
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3