How to block W32.Blaster in an enterprise MAN/WAN at Cisco Routers

I have a customer with 9 locations connected together via T1 circuts.  The routers at the sites are Cisco 1721's with T1 WICs.   There are 60 Win2K servers with an Active Directory DC at each site.  Cisco's recommendation only addresses the router at the edge and will not work for the other routers in this scenerio.   Is there any way to block Blaster at the router level, using the 1721's that are currently in place, without stopping valid communications between sites and servers?
LVL 1
JCRussellAsked:
Who is Participating?
 
mikebernhardtCommented:
Nope. It's not used for anything useful. It amost seems as if it was designed to give hackers a good tool for worms.

http://grc.com/dcom/
0
 
lrmooreCommented:
Simply block icmp echo on the local lan interface:

access-list 102 deny icmp any any echo
access-list 102 permit ip any any

Interface FastEthernet 0
 access-group 102 in


0
 
JCRussellAuthor Commented:
From the activity that we are seeing, it appears that Blast is scanning ports.  All of the machines that have Blast are sending epmap packets with consecutive port numbers.  At least all the machines that are scanning have Blast.  Is this Blast or something else?  Will blocking icmp echos stop this activity?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
lrmooreCommented:
blocking icmp echo requests will localize the outbreak to the local lan. The blast of icmp is what kills networks. At the very least, this will keep the infection localized and keep the extra traffic off of your WAN links until you can eradicate it.
0
 
mikebernhardtCommented:
Also block TCP port 135 (DCom), which is what Blaster propagates itself with once it finds a live host. Although it will try port 80 also...
0
 
JCRussellAuthor Commented:
Won't blocking 135 stop file sharing, etc.?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.