RE: Virus Alert - W32.Blaster.Worm

From: Brown, Patrick (NSOC-OCF} (PBrown4@chartercom.com)
Date: Wed Aug 13 2003 - 14:08:29 GMT-3

 If you have a netflow collector server, that would be perfect for
identification of infected sources. I just use a linux box with
flow-capture. On distributed switching/distributed mem platforms like GSR12,
7500, 10000, 7600 osm, and etc. they handle the log option a little bit
better than shared mem platforms like the 7200. Below is a 7200 without the
log option on ACL. CPU = 56%

    access-list compiled <---- turbo acl
    deny tcp any any eq 135 (654191031 matches) <-- 654 million | 25k sec
    deny tcp any any eq 445 (3290391 matches)
    deny tcp any any eq 593 (11 matches)

-----Original Message-----
From: Kurt Kruegel
To: Brown, Patrick (NSOC-OCF}; 'MADMAN '; 'Jung, Jin '
Cc: ''George Gittins' '; ccielab@groupstudy.com
Sent: 8/13/2003 10:58 AM
Subject: Re: Virus Alert - W32.Blaster.Worm

oh daaaa
i guess i wanted to see how hard we were getting scanned
it's a 7200 vxr 512mb ram
using cef as normal switching mode
i had done this with sql slammer
and no problems

----- Original Message -----
From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
To: "'Kurt Kruegel '" <kurt@cybernex.net>; "'MADMAN '"
<dave@interprise.com>; "'Jung, Jin '" <jin.jung@lmco.com>
Cc: "''George Gittins' '" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 11:53 AM
Subject: RE: Virus Alert - W32.Blaster.Worm

> Anytime you have the log option on the ACL, you are process switching
> packets. Take the log statment out of the ACL for 135 definitely. I
would
> take it out for 4444 and 69 also dependant on the platform. This will
> definitely hose your box :)
>
> ex:
> ip access-list ext cisco-n-microsoft-problem
> deny tcp any any eq 135
> deny tcp any any eq 445
> deny tcp any any eq 593
> deny 53 any any
> deny 55 any any
> deny 77 any any
> deny pim any any
> permit ip any any
>
> Thanks,
>
> Patrick B
>
> -----Original Message-----
> From: Kurt Kruegel
> To: MADMAN; Jung, Jin
> Cc: 'George Gittins'; ccielab@groupstudy.com
> Sent: 8/13/2003 10:45 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
> i used the access-list to try to block it and cpu freaked out
> and we had to power cycle
> anyone see a problem with this ?
>
> access-list 115 deny tcp any eq 4444 any log
> access-list 115 deny tcp any eq 135 any log
> access-list 115 deny udp any eq 69 any log
> access-list 115 deny icmp any any redirect
> access-list 115 deny ip 0.0.0.0 0.255.255.255 any
> access-list 115 deny ip 255.0.0.0 0.255.255.255 any
> access-list 115 deny ip 1.0.0.0 0.255.255.255 any
> access-list 115 deny ip 2.0.0.0 0.255.255.255 any
> access-list 115 deny ip 127.0.0.0 0.255.255.255 any
> access-list 115 deny ip 169.254.0.0 0.0.255.255 any
> access-list 115 deny ip 192.0.2.0 0.0.0.255 any
> access-list 115 deny ip 10.0.0.0 0.255.255.255 any
> access-list 115 deny ip 172.16.0.0 0.15.255.255 any
> access-list 115 deny ip 192.168.0.0 0.0.255.255 any
> own nets deleted
> access-list 115 permit ip any any
>
>
> ----- Original Message -----
> From: "MADMAN" <dave@interprise.com>
> To: "Jung, Jin" <jin.jung@lmco.com>
> Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, August 13, 2003 11:11 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
>
> > Jung, Jin wrote:
> > > Hi Brian,
> > > Did you block tcp and udp port 135 ?
> > > Does it brake windows netbios?
> > >
> > > I only blocked 4444 and 69, should I block 135 too?
> >
> > Yes.
> >
> > http://www.cert.org/advisories/CA-2003-20.html
> >
> > Dave
> >
> > >
> > > Thanks...
> > >
> > > -----Original Message-----
> > > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > > Sent: Wednesday, August 13, 2003 9:43 AM
> > > To: ccielab@groupstudy.com
> > > Subject: FW: Virus Alert - W32.Blaster.Worm
> > >
> > >
> > > Why port 135? Can you should a access -list
> > >
> > > George Gittins
> > > Network Maintenance Supervisor
> > > ECISD
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> Of
> > > Brown, Patrick (NSOC-OCF}
> > > Sent: Tuesday, August 12, 2003 7:58 PM
> > > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > > Subject: RE: Virus Alert - W32.Blaster.Worm
> > >
> > > Getting about 20,000 hits a second on ACL referencing port 135.
> Plus
> Arp
> > > process is going through the roof until acl is applied.
> > >
> > > Patrick B
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Snow, Tim
> > > To: 'ccielab@groupstudy.com'
> > > Sent: 8/11/2003 10:14 PM
> > > Subject: Virus Alert - W32.Blaster.Worm
> > >
> > > Anyone else going through the W32.Blaster.Worm?
> > >
> > >
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > > .htm
> > > l
> > >
> > > Big pain in the ....
> > >
> > > Tim
> > >
> > >
> > > Timothy Snow
> > > CCIE #12042
> > > EDS - Network Operations
> > > MS 3B
> > > 1075 W. Entrance Drive
> > > Auburn Hills, MI 48326
> > >
> > > * phone: +01-248-754-7900
> > > * mailto:timothy.snow@eds.com
> > > pager: 888-351-4584
> > > www.eds.com
> > >
> > >
> > >
>

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3