RE: Virus Alert - W32.Blaster.Worm

From: Charles Church (cchurch@wamnet.com)
Date: Wed Aug 13 2003 - 13:17:16 GMT-3

• Next message: Barney Gaumer: "Re: NAT questions"
• Previous message: wing_lam@jossynergy.com: "Re: NAT questions"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Setting a static route to null for all the bogons is a good idea as well.
Check out:
http://www.cymru.com/Documents/bogon-dd.html

Take each line from the Dotted Decimal Aggregated list, and make it a static
pointing to null0.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brown, Patrick (NSOC-OCF}
Sent: Wednesday, August 13, 2003 11:54 AM
To: 'Kurt Kruegel '; 'MADMAN '; 'Jung, Jin '
Cc: ''George Gittins' '; 'ccielab@groupstudy.com '
Subject: RE: Virus Alert - W32.Blaster.Worm

 Anytime you have the log option on the ACL, you are process switching
packets. Take the log statment out of the ACL for 135 definitely. I would
take it out for 4444 and 69 also dependant on the platform. This will
definitely hose your box :)

ex:
ip access-list ext cisco-n-microsoft-problem
 deny tcp any any eq 135
 deny tcp any any eq 445
 deny tcp any any eq 593
 deny 53 any any
 deny 55 any any
 deny 77 any any
 deny pim any any
 permit ip any any

Thanks,

Patrick B

-----Original Message-----
From: Kurt Kruegel
To: MADMAN; Jung, Jin
Cc: 'George Gittins'; ccielab@groupstudy.com
Sent: 8/13/2003 10:45 AM
Subject: Re: Virus Alert - W32.Blaster.Worm

i used the access-list to try to block it and cpu freaked out
and we had to power cycle
anyone see a problem with this ?

access-list 115 deny tcp any eq 4444 any log
access-list 115 deny tcp any eq 135 any log
access-list 115 deny udp any eq 69 any log
access-list 115 deny icmp any any redirect
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 1.0.0.0 0.255.255.255 any
access-list 115 deny ip 2.0.0.0 0.255.255.255 any
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
own nets deleted
access-list 115 permit ip any any

----- Original Message -----
From: "MADMAN" <dave@interprise.com>
To: "Jung, Jin" <jin.jung@lmco.com>
Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 11:11 AM
Subject: Re: Virus Alert - W32.Blaster.Worm

> Jung, Jin wrote:
> > Hi Brian,
> > Did you block tcp and udp port 135 ?
> > Does it brake windows netbios?
> >
> > I only blocked 4444 and 69, should I block 135 too?
>
> Yes.
>
> http://www.cert.org/advisories/CA-2003-20.html
>
> Dave
>
> >
> > Thanks...
> >
> > -----Original Message-----
> > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > Sent: Wednesday, August 13, 2003 9:43 AM
> > To: ccielab@groupstudy.com
> > Subject: FW: Virus Alert - W32.Blaster.Worm
> >
> >
> > Why port 135? Can you should a access -list
> >
> > George Gittins
> > Network Maintenance Supervisor
> > ECISD
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Brown, Patrick (NSOC-OCF}
> > Sent: Tuesday, August 12, 2003 7:58 PM
> > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > Subject: RE: Virus Alert - W32.Blaster.Worm
> >
> > Getting about 20,000 hits a second on ACL referencing port 135.
Plus
Arp
> > process is going through the roof until acl is applied.
> >
> > Patrick B
> >
> >
> >
> > -----Original Message-----
> > From: Snow, Tim
> > To: 'ccielab@groupstudy.com'
> > Sent: 8/11/2003 10:14 PM
> > Subject: Virus Alert - W32.Blaster.Worm
> >
> > Anyone else going through the W32.Blaster.Worm?
> >
> >
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > .htm
> > l
> >
> > Big pain in the ....
> >
> > Tim
> >
> >
> > Timothy Snow
> > CCIE #12042
> > EDS - Network Operations
> > MS 3B
> > 1075 W. Entrance Drive
> > Auburn Hills, MI 48326
> >
> > * phone: +01-248-754-7900
> > * mailto:timothy.snow@eds.com
> > pager: 888-351-4584
> > www.eds.com
> >
> >
> >

• Next message: Barney Gaumer: "Re: NAT questions"
• Previous message: wing_lam@jossynergy.com: "Re: NAT questions"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3