From: kurt (kurt@cybernex.net)
Date: Thu Aug 14 2003 - 00:24:27 GMT-3
yeah,
i'm settling on a course inbound bogon filter on the router and the pix
can do the rest.
----- Original Message -----
From: "MMoniz" <ccie2002@tampabay.rr.com>
To: "Charles Church" <cchurch@wamnet.com>; "kurt" <kurt@cybernex.net>;
"Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>; "''MADMAN ' '"
<dave@interprise.com>; "''Jung, Jin ' '" <jin.jung@lmco.com>
Cc: "'''George Gittins' ' '" <g.gittins@edinburg.esc1.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 13, 2003 9:03 PM
Subject: RE: Virus Alert - W32.Blaster.Worm
> I agree..I have 2 3661 Internet routers allowing it right through. I
> probably had like 10,000 scans
> on this today and my PIX 535 was at like CPU 0%. When I had a TAC case for
> internet problems TAC said
> just allow it through the routers and let the PIX eat it. (I didn't have a
> TAC case for this problem,
> but the results are the same.)
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Charles Church
> Sent: Wednesday, August 13, 2003 2:14 PM
> To: kurt; Brown, Patrick (NSOC-OCF}; ''MADMAN ' '; ''Jung, Jin ' '
> Cc: '''George Gittins' ' '; ccielab@groupstudy.com
> Subject: RE: Virus Alert - W32.Blaster.Worm
>
>
> Kurt,
>
> Why not just let the PIX block it? It's purpose in life is blocking
> packets, unlike the router. A place you might want to do ACL logging is
on
> an inside interface's inbound ACL. Might make it easy to find infected
> machines inside your network, as long as the source address isn't spoofed.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> kurt
> Sent: Wednesday, August 13, 2003 1:23 PM
> To: Brown, Patrick (NSOC-OCF}; ''MADMAN ' '; ''Jung, Jin ' '
> Cc: '''George Gittins' ' '; ccielab@groupstudy.com
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
>
> my cpu generally runs 0-10%
> so this could jump to 50% cpu without log option ?
> depending on the rate we're getting hit ?
> we have a pix behind the router
> so nothing's really getting in that's not established.
>
> am i right that there's really no sence to block tftp since it could only
> come from the other end of the link ?
>
>
>
> ----- Original Message -----
> From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
> To: "'Kurt Kruegel '" <kurt@cybernex.net>; "''MADMAN ' '"
> <dave@interprise.com>; "''Jung, Jin ' '" <jin.jung@lmco.com>
> Cc: "'''George Gittins' ' '" <g.gittins@edinburg.esc1.net>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, August 13, 2003 1:08 PM
> Subject: RE: Virus Alert - W32.Blaster.Worm
>
>
> > If you have a netflow collector server, that would be perfect for
> > identification of infected sources. I just use a linux box with
> > flow-capture. On distributed switching/distributed mem platforms like
> GSR12,
> > 7500, 10000, 7600 osm, and etc. they handle the log option a little bit
> > better than shared mem platforms like the 7200. Below is a 7200 without
> the
> > log option on ACL. CPU = 56%
> >
> > access-list compiled <---- turbo acl
> > deny tcp any any eq 135 (654191031 matches) <-- 654 million | 25k
sec
> > deny tcp any any eq 445 (3290391 matches)
> > deny tcp any any eq 593 (11 matches)
> >
> >
> >
> >
> > -----Original Message-----
> > From: Kurt Kruegel
> > To: Brown, Patrick (NSOC-OCF}; 'MADMAN '; 'Jung, Jin '
> > Cc: ''George Gittins' '; ccielab@groupstudy.com
> > Sent: 8/13/2003 10:58 AM
> > Subject: Re: Virus Alert - W32.Blaster.Worm
> >
> > oh daaaa
> > i guess i wanted to see how hard we were getting scanned
> > it's a 7200 vxr 512mb ram
> > using cef as normal switching mode
> > i had done this with sql slammer
> > and no problems
> >
> >
> > ----- Original Message -----
> > From: "Brown, Patrick (NSOC-OCF}" <PBrown4@chartercom.com>
> > To: "'Kurt Kruegel '" <kurt@cybernex.net>; "'MADMAN '"
> > <dave@interprise.com>; "'Jung, Jin '" <jin.jung@lmco.com>
> > Cc: "''George Gittins' '" <g.gittins@edinburg.esc1.net>;
> > <ccielab@groupstudy.com>
> > Sent: Wednesday, August 13, 2003 11:53 AM
> > Subject: RE: Virus Alert - W32.Blaster.Worm
> >
> >
> > > Anytime you have the log option on the ACL, you are process switching
> > > packets. Take the log statment out of the ACL for 135 definitely. I
> > would
> > > take it out for 4444 and 69 also dependant on the platform. This will
> > > definitely hose your box :)
> > >
> > > ex:
> > > ip access-list ext cisco-n-microsoft-problem
> > > deny tcp any any eq 135
> > > deny tcp any any eq 445
> > > deny tcp any any eq 593
> > > deny 53 any any
> > > deny 55 any any
> > > deny 77 any any
> > > deny pim any any
> > > permit ip any any
> > >
> > > Thanks,
> > >
> > > Patrick B
> > >
> > > -----Original Message-----
> > > From: Kurt Kruegel
> > > To: MADMAN; Jung, Jin
> > > Cc: 'George Gittins'; ccielab@groupstudy.com
> > > Sent: 8/13/2003 10:45 AM
> > > Subject: Re: Virus Alert - W32.Blaster.Worm
> > >
> > > i used the access-list to try to block it and cpu freaked out
> > > and we had to power cycle
> > > anyone see a problem with this ?
> > >
> > > access-list 115 deny tcp any eq 4444 any log
> > > access-list 115 deny tcp any eq 135 any log
> > > access-list 115 deny udp any eq 69 any log
> > > access-list 115 deny icmp any any redirect
> > > access-list 115 deny ip 0.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 255.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 1.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 2.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 127.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 169.254.0.0 0.0.255.255 any
> > > access-list 115 deny ip 192.0.2.0 0.0.0.255 any
> > > access-list 115 deny ip 10.0.0.0 0.255.255.255 any
> > > access-list 115 deny ip 172.16.0.0 0.15.255.255 any
> > > access-list 115 deny ip 192.168.0.0 0.0.255.255 any
> > > own nets deleted
> > > access-list 115 permit ip any any
> > >
> > >
> > > ----- Original Message -----
> > > From: "MADMAN" <dave@interprise.com>
> > > To: "Jung, Jin" <jin.jung@lmco.com>
> > > Cc: "'George Gittins'" <g.gittins@edinburg.esc1.net>;
> > > <ccielab@groupstudy.com>
> > > Sent: Wednesday, August 13, 2003 11:11 AM
> > > Subject: Re: Virus Alert - W32.Blaster.Worm
> > >
> > >
> > > > Jung, Jin wrote:
> > > > > Hi Brian,
> > > > > Did you block tcp and udp port 135 ?
> > > > > Does it brake windows netbios?
> > > > >
> > > > > I only blocked 4444 and 69, should I block 135 too?
> > > >
> > > > Yes.
> > > >
> > > > http://www.cert.org/advisories/CA-2003-20.html
> > > >
> > > > Dave
> > > >
> > > > >
> > > > > Thanks...
> > > > >
> > > > > -----Original Message-----
> > > > > From: George Gittins [mailto:g.gittins@edinburg.esc1.net]
> > > > > Sent: Wednesday, August 13, 2003 9:43 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: FW: Virus Alert - W32.Blaster.Worm
> > > > >
> > > > >
> > > > > Why port 135? Can you should a access -list
> > > > >
> > > > > George Gittins
> > > > > Network Maintenance Supervisor
> > > > > ECISD
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > Of
> > > > > Brown, Patrick (NSOC-OCF}
> > > > > Sent: Tuesday, August 12, 2003 7:58 PM
> > > > > To: 'Snow, Tim '; ''ccielab@groupstudy.com' '
> > > > > Subject: RE: Virus Alert - W32.Blaster.Worm
> > > > >
> > > > > Getting about 20,000 hits a second on ACL referencing port 135.
> > > Plus
> > > Arp
> > > > > process is going through the roof until acl is applied.
> > > > >
> > > > > Patrick B
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Snow, Tim
> > > > > To: 'ccielab@groupstudy.com'
> > > > > Sent: 8/11/2003 10:14 PM
> > > > > Subject: Virus Alert - W32.Blaster.Worm
> > > > >
> > > > > Anyone else going through the W32.Blaster.Worm?
> > > > >
> > > > >
> > >
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
> > > > > .htm
> > > > > l
> > > > >
> > > > > Big pain in the ....
> > > > >
> > > > > Tim
> > > > >
> > > > >
> > > > > Timothy Snow
> > > > > CCIE #12042
> > > > > EDS - Network Operations
> > > > > MS 3B
> > > > > 1075 W. Entrance Drive
> > > > > Auburn Hills, MI 48326
> > > > >
> > > > > * phone: +01-248-754-7900
> > > > > * mailto:timothy.snow@eds.com
> > > > > pager: 888-351-4584
> > > > > www.eds.com
> > > > >
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> > Group.
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> > Group.
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> > Group.
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > > >
> > >
> > _______________________________________________________________________
> > > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> > Group.
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > >
> > > >
> > > > --
> > > > David Madland
> > > > CCIE# 2016
> > > > Sr. Network Engineer
> > > > Qwest Communications
> > > > 612-664-3367
> > > >
> > > > "Government can do something for the people only in proportion as it
> > > > can do something to the people." -- Thomas Jefferson
> > > >
> > > >
> > > >
> > >
> > _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:59 GMT-3