From: Barney Gaumer (bagaumer@yahoo.com)
Date: Thu Oct 02 2003 - 14:47:01 GMT-3
Sorry - gave the wrong link for the NBAR stuff.
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
L8,
Barney
--- Barney Gaumer <bagaumer@yahoo.com> wrote:
> Sounds right Dave - I was way off with my earlier
> thought. I was thinking of Call manager & some
> other
> platforms.
>
>
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
>
> I did find a cool link though regarding the use of
> NBAR to knock down "code red" may be able to apply
> the
> same methodology to some of these other http based
> worms.
>
>
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
>
> L8tr,
> Barney
>
>
> --- MADMAN <dmadlan@qwest.com> wrote:
> > Just got off the phone with another customer
> who
> > periodically had to
> > reload his router to regain connectivity. Problem
> > was all his memory
> > was being used and the culprit was NAT. A quick
> > look at the NAT stats a
> > couple minutes after a reload shows:
> >
> > ROUTER#sh ip nat stat
> > Total active translations: 13633 (8 static, 13625
> > dynamic; 13633 extended)
> > Outside interfaces:
> > Serial0
> > Inside interfaces:
> > FastEthernet0
> > Hits: 82227 Misses: 416709
> > Expired translations: 403110
> >
> > Lots of translations in only a 5 minute span of
> a
> > relatively small
> > office!!
> >
> > A show ip nat trans shows that the vast
> majority
> > of the translations
> > were orginated from two hosts and almost all the
> > translations were ICMP.
> > I denied ICMPs into the FE from those two hosts
> as
> > a temporary fix
> > while the customer figures out who they are and
> > cleanses the offenders.
> >
> > Dave
> >
> > McClure, Allen wrote:
> >
> > > Depends which virus you're talking about, but in
> > general it's a memory
> > > issue related to the quantity of half-open
> > connections being generated.
> > >
> > > For TCP connection issue, you might try TCP
> > Intercept. I've recommended
> > > its deployment here, but we're shy on code/dram
> on
> > many routers. Not
> > > sure if that'll help, but I'm betting it will
> > considering how many
> > > half-opens I'm seeing when these things are
> > active.
> > >
> > > For the ICMP ones, you might try blocking
> anything
> > specific that you can
> > > isolate about the virus. If I remember
> correctly,
> > Welchia utilizes
> > > 92-byte ICMP echos. Easy enough to drop without
> > impacting normal ICMP
> > > operation. Rate-limiting ICMP is also something
> > we're considering.
> > >
> > > We're using a combo of PIX Firewalls and FW-1
> > running on SunOS. The Sun
> > > buckles quite harshly when a virus gets on even
> a
> > single internal
> > > system.
> > >
> > > Allen G. McClure
> > > CCNP/CCDP/MCSE
> > > Yum! Brands, Inc.
> > > Sr. Network Analyst
> > > allen.mcclure@yum.com
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Gracie Pereira [mailto:goa0201@yahoo.com]
> > > Sent: Thursday, October 02, 2003 8:41 AM
> > > To: ccielab@groupstudy.com
> > > Subject: ROuter Reboot due to Virus !!
> > >
> > >
> > > HI everybody,
> > >
> > > We manage cisco 3660 routers with ver 12.2(2)
> XB5
> > version.
> > > due to recent virus attacks , the router keeps
> > rebooting . after staying
> > > up
> > > for couple of hours , we tried blocking the
> virus
> > ports ..but no help.
> > >
> > > Its now affecting couple more routers.Is there
> any
> > way to stop it before
> > > the router gets affected and start reloading on
> it
> > own.
> > >
> > > Trying a lot of possibilites . If anyone has any
> > recommendation to this
> > > issue
> > > pls share the info..
> > >
> > > thanks
> > > goa0201
> > >
> > >
> > >
> > >
> > >
> > > ---------------------------------
> > > Do you Yahoo!?
> > > The New Yahoo! Shopping - with improved product
> > search
> > >
> > > ***Get your CCIE and a FREE vacation:
> > Shop.GroupStudy.com***
> > >
> >
>
This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:55 GMT-3