Re: Virus Alert - W32.Blaster.Worm

From: kurt (kurt@cybernex.net)
Date: Wed Aug 13 2003 - 14:22:45 GMT-3

• Next message: Rajagopal S: "RE: HSRP / VRRP"
• Previous message: Scott Morris: "RE: NAT questions"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Charles Church: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

my cpu generally runs 0-10%
so this could jump to 50% cpu without log option ?
depending on the rate we're getting hit ?
we have a pix behind the router
so nothing's really getting in that's not established.

am i right that there's really no sence to block tftp since it could only
come from the other end of the link ?

----- Original Message -----
From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
To: "'Kurt Kruegel '" <kurt@cybernex.net>; "''MADMAN ' '"
<dave@interprise.com>; "''Jung, Jin ' '" <jin.jung@lmco.com>
Cc: "'''George Gittins' ' '" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 1:08 PM
Subject: RE: Virus Alert - W32.Blaster.Worm

> If you have a netflow collector server, that would be perfect for
> identification of infected sources. I just use a linux box with
> flow-capture. On distributed switching/distributed mem platforms like
GSR12,
> 7500, 10000, 7600 osm, and etc. they handle the log option a little bit
> better than shared mem platforms like the 7200. Below is a 7200 without
the
> log option on ACL. CPU = 56%
>
> access-list compiled <---- turbo acl
> deny tcp any any eq 135 (654191031 matches) <-- 654 million | 25k sec
> deny tcp any any eq 445 (3290391 matches)
> deny tcp any any eq 593 (11 matches)
>
>
>
>
> -----Original Message-----
> From: Kurt Kruegel
> To: Brown, Patrick (NSOC-OCF}; 'MADMAN '; 'Jung, Jin '
> Cc: ''George Gittins' '; ccielab@groupstudy.com
> Sent: 8/13/2003 10:58 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
> oh daaaa
> i guess i wanted to see how hard we were getting scanned
> it's a 7200 vxr 512mb ram
> using cef as normal switching mode
> i had done this with sql slammer
> and no problems
>
>
> ----- Original Message -----
> From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
> To: "'Kurt Kruegel '" <kurt@cybernex.net>; "'MADMAN '"
> <dave@interprise.com>; "'Jung, Jin '" <jin.jung@lmco.com>
> Cc: "''George Gittins' '" <g.gittins@edinburg.esc1.net>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, August 13, 2003 11:53 AM
> Subject: RE: Virus Alert - W32.Blaster.Worm
>
>
> > Anytime you have the log option on the ACL, you are process switching
> > packets. Take the log statment out of the ACL for 135 definitely. I
> would
> > take it out for 4444 and 69 also dependant on the platform. This will
> > definitely hose your box :)
> >
> > ex:
> > ip access-list ext cisco-n-microsoft-problem
> > deny tcp any any eq 135
> > deny tcp any any eq 445
> > deny tcp any any eq 593
> > deny 53 any any
> > deny 55 any any
> > deny 77 any any
> > deny pim any any
> > permit ip any any
> >
> > Thanks,
> >
> > Patrick B
> >
> > -----Original Message-----
> > From: Kurt Kruegel
> > To: MADMAN; Jung, Jin
> > Cc: 'George Gittins'; ccielab@groupstudy.com
> > Sent: 8/13/2003 10:45 AM
> > Subject: Re: Virus Alert - W32.Blaster.Worm
> >
> > i used the access-list to try to block it and cpu freaked out
> > and we had to power cycle
> > anyone see a problem with this ?
> >
> > access-list 115 deny tcp any eq 4444 any log
> > access-list 115 deny tcp any eq 135 any log
> > access-list 115 deny udp any eq 69 any log
> > access-list 115 deny icmp any any redirect
> > access-list 115 deny ip 0.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 255.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 1.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 2.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 169.254.0.0 0.0.255.255 any
> > access-list 115 deny ip 192.0.2.0 0.0.0.255 any
> > access-list 115 deny ip 10.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 172.16.0.0 0.15.255.255 any
> > access-list 115 deny ip 192.168.0.0 0.0.255.255 any
> > own nets deleted
> > access-list 115 permit ip any any
> >
> >
> > ----- Original Message -----
> > From: "MADMAN" <dave@interprise.com>
> > To: "Jung, Jin" <jin.jung@lmco.com>
> > Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
> > <ccielab@groupstudy.com>
> > Sent: Wednesday, August 13, 2003 11:11 AM
> > Subject: Re: Virus Alert - W32.Blaster.Worm
> >
> >
> > > Jung, Jin wrote:
> > > > Hi Brian,
> > > > Did you block tcp and udp port 135 ?
> > > > Does it brake windows netbios?
> > > >
> > > > I only blocked 4444 and 69, should I block 135 too?
> > >
> > > Yes.
> > >
> > > http://www.cert.org/advisories/CA-2003-20.html
> > >
> > > Dave
> > >
> > > >
> > > > Thanks...
> > > >
> > > > -----Original Message-----
> > > > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > > > Sent: Wednesday, August 13, 2003 9:43 AM
> > > > To: ccielab@groupstudy.com
> > > > Subject: FW: Virus Alert - W32.Blaster.Worm
> > > >
> > > >
> > > > Why port 135? Can you should a access -list
> > > >
> > > > George Gittins
> > > > Network Maintenance Supervisor
> > > > ECISD
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > Of
> > > > Brown, Patrick (NSOC-OCF}
> > > > Sent: Tuesday, August 12, 2003 7:58 PM
> > > > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > > > Subject: RE: Virus Alert - W32.Blaster.Worm
> > > >
> > > > Getting about 20,000 hits a second on ACL referencing port 135.
> > Plus
> > Arp
> > > > process is going through the roof until acl is applied.
> > > >
> > > > Patrick B
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Snow, Tim
> > > > To: 'ccielab@groupstudy.com'
> > > > Sent: 8/11/2003 10:14 PM
> > > > Subject: Virus Alert - W32.Blaster.Worm
> > > >
> > > > Anyone else going through the W32.Blaster.Worm?
> > > >
> > > >
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > > > .htm
> > > > l
> > > >
> > > > Big pain in the ....
> > > >
> > > > Tim
> > > >
> > > >
> > > > Timothy Snow
> > > > CCIE #12042
> > > > EDS - Network Operations
> > > > MS 3B
> > > > 1075 W. Entrance Drive
> > > > Auburn Hills, MI 48326
> > > >
> > > > * phone: +01-248-754-7900
> > > > * mailto:timothy.snow@eds.com
> > > > pager: 888-351-4584
> > > > www.eds.com
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > > --
> > > David Madland
> > > CCIE# 2016
> > > Sr. Network Engineer
> > > Qwest Communications
> > > 612-664-3367
> > >
> > > "Government can do something for the people only in proportion as it
> > > can do something to the people." -- Thomas Jefferson
> > >
> > >
> > >
> >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Rajagopal S: "RE: HSRP / VRRP"
• Previous message: Scott Morris: "RE: NAT questions"
• Maybe in reply to: Snow, Tim: "Virus Alert - W32.Blaster.Worm"
• Next in thread: Charles Church: "RE: Virus Alert - W32.Blaster.Worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3