From: MMoniz (ccie2002@tampabay.rr.com)
Date: Wed Aug 13 2003 - 22:03:33 GMT-3
I agree..I have 2 3661 Internet routers allowing it right through. I
probably had like 10,000 scans
on this today and my PIX 535 was at like CPU 0%. When I had a TAC case for
internet problems TAC said
just allow it through the routers and let the PIX eat it. (I didn't have a
TAC case for this problem,
but the results are the same.)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Charles Church
Sent: Wednesday, August 13, 2003 2:14 PM
To: kurt; Brown, Patrick (NSOC-OCF}; ''MADMAN ' '; ''Jung, Jin ' '
Cc: '''George Gittins' ' '; ccielab@groupstudy.com
Subject: RE: Virus Alert - W32.Blaster.Worm
Kurt,
Why not just let the PIX block it? It's purpose in life is blocking
packets, unlike the router. A place you might want to do ACL logging is on
an inside interface's inbound ACL. Might make it easy to find infected
machines inside your network, as long as the source address isn't spoofed.
Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
kurt
Sent: Wednesday, August 13, 2003 1:23 PM
To: Brown, Patrick (NSOC-OCF}; ''MADMAN ' '; ''Jung, Jin ' '
Cc: '''George Gittins' ' '; ccielab@groupstudy.com
Subject: Re: Virus Alert - W32.Blaster.Worm
my cpu generally runs 0-10%
so this could jump to 50% cpu without log option ?
depending on the rate we're getting hit ?
we have a pix behind the router
so nothing's really getting in that's not established.
am i right that there's really no sence to block tftp since it could only
come from the other end of the link ?
----- Original Message -----
From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
To: "'Kurt Kruegel '" <kurt@cybernex.net>; "''MADMAN ' '"
<dave@interprise.com>; "''Jung, Jin ' '" <jin.jung@lmco.com>
Cc: "'''George Gittins' ' '" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 1:08 PM
Subject: RE: Virus Alert - W32.Blaster.Worm
> If you have a netflow collector server, that would be perfect for
> identification of infected sources. I just use a linux box with
> flow-capture. On distributed switching/distributed mem platforms like
GSR12,
> 7500, 10000, 7600 osm, and etc. they handle the log option a little bit
> better than shared mem platforms like the 7200. Below is a 7200 without
the
> log option on ACL. CPU = 56%
>
> access-list compiled <---- turbo acl
> deny tcp any any eq 135 (654191031 matches) <-- 654 million | 25k sec
> deny tcp any any eq 445 (3290391 matches)
> deny tcp any any eq 593 (11 matches)
>
>
>
>
> -----Original Message-----
> From: Kurt Kruegel
> To: Brown, Patrick (NSOC-OCF}; 'MADMAN '; 'Jung, Jin '
> Cc: ''George Gittins' '; ccielab@groupstudy.com
> Sent: 8/13/2003 10:58 AM
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
> oh daaaa
> i guess i wanted to see how hard we were getting scanned
> it's a 7200 vxr 512mb ram
> using cef as normal switching mode
> i had done this with sql slammer
> and no problems
>
>
> ----- Original Message -----
> From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
> To: "'Kurt Kruegel '" <kurt@cybernex.net>; "'MADMAN '"
> <dave@interprise.com>; "'Jung, Jin '" <jin.jung@lmco.com>
> Cc: "''George Gittins' '" <g.gittins@edinburg.esc1.net>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, August 13, 2003 11:53 AM
> Subject: RE: Virus Alert - W32.Blaster.Worm
>
>
> > Anytime you have the log option on the ACL, you are process switching
> > packets. Take the log statment out of the ACL for 135 definitely. I
> would
> > take it out for 4444 and 69 also dependant on the platform. This will
> > definitely hose your box :)
> >
> > ex:
> > ip access-list ext cisco-n-microsoft-problem
> > deny tcp any any eq 135
> > deny tcp any any eq 445
> > deny tcp any any eq 593
> > deny 53 any any
> > deny 55 any any
> > deny 77 any any
> > deny pim any any
> > permit ip any any
> >
> > Thanks,
> >
> > Patrick B
> >
> > -----Original Message-----
> > From: Kurt Kruegel
> > To: MADMAN; Jung, Jin
> > Cc: 'George Gittins'; ccielab@groupstudy.com
> > Sent: 8/13/2003 10:45 AM
> > Subject: Re: Virus Alert - W32.Blaster.Worm
> >
> > i used the access-list to try to block it and cpu freaked out
> > and we had to power cycle
> > anyone see a problem with this ?
> >
> > access-list 115 deny tcp any eq 4444 any log
> > access-list 115 deny tcp any eq 135 any log
> > access-list 115 deny udp any eq 69 any log
> > access-list 115 deny icmp any any redirect
> > access-list 115 deny ip 0.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 255.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 1.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 2.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 169.254.0.0 0.0.255.255 any
> > access-list 115 deny ip 192.0.2.0 0.0.0.255 any
> > access-list 115 deny ip 10.0.0.0 0.255.255.255 any
> > access-list 115 deny ip 172.16.0.0 0.15.255.255 any
> > access-list 115 deny ip 192.168.0.0 0.0.255.255 any
> > own nets deleted
> > access-list 115 permit ip any any
> >
> >
> > ----- Original Message -----
> > From: "MADMAN" <dave@interprise.com>
> > To: "Jung, Jin" <jin.jung@lmco.com>
> > Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
> > <ccielab@groupstudy.com>
> > Sent: Wednesday, August 13, 2003 11:11 AM
> > Subject: Re: Virus Alert - W32.Blaster.Worm
> >
> >
> > > Jung, Jin wrote:
> > > > Hi Brian,
> > > > Did you block tcp and udp port 135 ?
> > > > Does it brake windows netbios?
> > > >
> > > > I only blocked 4444 and 69, should I block 135 too?
> > >
> > > Yes.
> > >
> > > http://www.cert.org/advisories/CA-2003-20.html
> > >
> > > Dave
> > >
> > > >
> > > > Thanks...
> > > >
> > > > -----Original Message-----
> > > > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > > > Sent: Wednesday, August 13, 2003 9:43 AM
> > > > To: ccielab@groupstudy.com
> > > > Subject: FW: Virus Alert - W32.Blaster.Worm
> > > >
> > > >
> > > > Why port 135? Can you should a access -list
> > > >
> > > > George Gittins
> > > > Network Maintenance Supervisor
> > > > ECISD
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > Of
> > > > Brown, Patrick (NSOC-OCF}
> > > > Sent: Tuesday, August 12, 2003 7:58 PM
> > > > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > > > Subject: RE: Virus Alert - W32.Blaster.Worm
> > > >
> > > > Getting about 20,000 hits a second on ACL referencing port 135.
> > Plus
> > Arp
> > > > process is going through the roof until acl is applied.
> > > >
> > > > Patrick B
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Snow, Tim
> > > > To: 'ccielab@groupstudy.com'
> > > > Sent: 8/11/2003 10:14 PM
> > > > Subject: Virus Alert - W32.Blaster.Worm
> > > >
> > > > Anyone else going through the W32.Blaster.Worm?
> > > >
> > > >
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > > > .htm
> > > > l
> > > >
> > > > Big pain in the ....
> > > >
> > > > Tim
> > > >
> > > >
> > > > Timothy Snow
> > > > CCIE #12042
> > > > EDS - Network Operations
> > > > MS 3B
> > > > 1075 W. Entrance Drive
> > > > Auburn Hills, MI 48326
> > > >
> > > > * phone: +01-248-754-7900
> > > > * mailto:timothy.snow@eds.com
> > > > pager: 888-351-4584
> > > > www.eds.com
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > >
> > >
> > > --
> > > David Madland
> > > CCIE# 2016
> > > Sr. Network Engineer
> > > Qwest Communications
> > > 612-664-3367
> > >
> > > "Government can do something for the people only in proportion as it
> > > can do something to the people." -- Thomas Jefferson
> > >
> > >
> > >
> >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3