From: Barney Gaumer (bagaumer@yahoo.com)
Date: Thu Oct 02 2003 - 14:31:11 GMT-3
Sounds right Dave - I was way off with my earlier
thought. I was thinking of Call manager & some other
platforms.
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
I did find a cool link though regarding the use of
NBAR to knock down "code red" may be able to apply the
same methodology to some of these other http based
worms.
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
L8tr,
Barney
--- MADMAN <dmadlan@qwest.com> wrote:
> Just got off the phone with another customer who
> periodically had to
> reload his router to regain connectivity. Problem
> was all his memory
> was being used and the culprit was NAT. A quick
> look at the NAT stats a
> couple minutes after a reload shows:
>
> ROUTER#sh ip nat stat
> Total active translations: 13633 (8 static, 13625
> dynamic; 13633 extended)
> Outside interfaces:
> Serial0
> Inside interfaces:
> FastEthernet0
> Hits: 82227 Misses: 416709
> Expired translations: 403110
>
> Lots of translations in only a 5 minute span of a
> relatively small
> office!!
>
> A show ip nat trans shows that the vast majority
> of the translations
> were orginated from two hosts and almost all the
> translations were ICMP.
> I denied ICMPs into the FE from those two hosts as
> a temporary fix
> while the customer figures out who they are and
> cleanses the offenders.
>
> Dave
>
> McClure, Allen wrote:
>
> > Depends which virus you're talking about, but in
> general it's a memory
> > issue related to the quantity of half-open
> connections being generated.
> >
> > For TCP connection issue, you might try TCP
> Intercept. I've recommended
> > its deployment here, but we're shy on code/dram on
> many routers. Not
> > sure if that'll help, but I'm betting it will
> considering how many
> > half-opens I'm seeing when these things are
> active.
> >
> > For the ICMP ones, you might try blocking anything
> specific that you can
> > isolate about the virus. If I remember correctly,
> Welchia utilizes
> > 92-byte ICMP echos. Easy enough to drop without
> impacting normal ICMP
> > operation. Rate-limiting ICMP is also something
> we're considering.
> >
> > We're using a combo of PIX Firewalls and FW-1
> running on SunOS. The Sun
> > buckles quite harshly when a virus gets on even a
> single internal
> > system.
> >
> > Allen G. McClure
> > CCNP/CCDP/MCSE
> > Yum! Brands, Inc.
> > Sr. Network Analyst
> > allen.mcclure@yum.com
> >
> >
> >
> >
> > -----Original Message-----
> > From: Gracie Pereira [mailto:goa0201@yahoo.com]
> > Sent: Thursday, October 02, 2003 8:41 AM
> > To: ccielab@groupstudy.com
> > Subject: ROuter Reboot due to Virus !!
> >
> >
> > HI everybody,
> >
> > We manage cisco 3660 routers with ver 12.2(2) XB5
> version.
> > due to recent virus attacks , the router keeps
> rebooting . after staying
> > up
> > for couple of hours , we tried blocking the virus
> ports ..but no help.
> >
> > Its now affecting couple more routers.Is there any
> way to stop it before
> > the router gets affected and start reloading on it
> own.
> >
> > Trying a lot of possibilites . If anyone has any
> recommendation to this
> > issue
> > pls share the info..
> >
> > thanks
> > goa0201
> >
> >
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> search
> >
> > ***Get your CCIE and a FREE vacation:
> Shop.GroupStudy.com***
> >
>
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3