Solved

How to block W32.Blaster in an enterprise MAN/WAN at Cisco Routers

Posted on 2004-05-01
8
221 Views
Last Modified: 2010-04-17
I have a customer with 9 locations connected together via T1 circuts.  The routers at the sites are Cisco 1721's with T1 WICs.   There are 60 Win2K servers with an Active Directory DC at each site.  Cisco's recommendation only addresses the router at the edge and will not work for the other routers in this scenerio.   Is there any way to block Blaster at the router level, using the 1721's that are currently in place, without stopping valid communications between sites and servers?
0
Comment
Question by:JCRussell
  • 2
  • 2
  • 2
8 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 125 total points
ID: 10972128
Simply block icmp echo on the local lan interface:

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

Interface FastEthernet 0
 access-group 102 in


0
 
LVL 1

Author Comment

by:JCRussell
ID: 10972262
From the activity that we are seeing, it appears that Blast is scanning ports.  All of the machines that have Blast are sending epmap packets with consecutive port numbers.  At least all the machines that are scanning have Blast.  Is this Blast or something else?  Will blocking icmp echos stop this activity?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10973493
blocking icmp echo requests will localize the outbreak to the local lan. The blast of icmp is what kills networks. At the very least, this will keep the infection localized and keep the extra traffic off of your WAN links until you can eradicate it.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10980281
Also block TCP port 135 (DCom), which is what Blaster propagates itself with once it finds a live host. Although it will try port 80 also...
0
 
LVL 1

Author Comment

by:JCRussell
ID: 10983202
Won't blocking 135 stop file sharing, etc.?
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 125 total points
ID: 10988071
Nope. It's not used for anything useful. It amost seems as if it was designed to give hackers a good tool for worms.

http://grc.com/dcom/
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 808 is being blocked 9 121
Building small business network 4 89
Random Terminal Server disconnections. 2 227
Viber-Only Restriction 6 57
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question