09-12-2004 01:40 PM - edited 03-02-2019 06:25 PM
Hi ,
My network consists of lots of vlans linking various sites (external via LES circuits and internal departments)to a central server core. We have been hit by the Korgo virus , (we have the Cisco 4235 IDS so identified very quickly) . I want to put access-lists on all my vlans to deny tcp and udp port 445 (microsoft-ds )as this is how the infected hosts scan for suitable victims. I;ve tested it and cannot see any impact apart from the desired one , can anyone confirm this or point out the flaws . Many thanks in advance
Solved! Go to Solution.
09-12-2004 11:23 PM
You can find some stuff about these protocols in:
I hope you find this useful. If so, please don't forget to fill in the "solved" and "rate this post" fields.
Thanks in advance.
Kevin Dorrell
Luxembourg
09-12-2004 02:54 PM
There are pluses and minuses to filtering this way. The major plus is that you help contain the spread of the virus. There are a couple of potential minuses to keep in mind. The first is that possibility of some mistake in constructing the access list which could impact traffic in a way that you do not anticipate. Perhaps the most important question is the question of whether there is legitimate traffic in your network that uses port 445.
An approach that I see with some frequency is to do this kind of filtering at the edges of the network. It is usually pretty easy to say that there should not be legitimate traffic on port 445 from remote networks to you or from machines in your network to other remote networks. I also sometimes see filters on interior routers that deny traffic for port 445 which have destination addresses in remote networks.
HTH
Rick
09-12-2004 11:11 PM
Thanks very much for both responses.
Previously I had blocked this port (445) on our 100Mb internet link both incoming and outgoing to prevent infections, as per most Cisco web examples.(Also 135 -139).
The interior network is different as we are a core service for all the schools and public services depts (we are a local County Council). Basically we operate one large LAN using many vlans , but with traffic only travaersing our Pix's when they need the internet.
Thanks again , I will keep an eye on any issues that appear ...
09-12-2004 06:24 PM
I have done this on our network, and I can demonstrate that it has saved us from infection several times. It seems to have no ill effect on the Microsoft traffic. From Windows 2000 Microsoft prefer to use port tcp/445 for connection to windows servers, i.e. the direct CIFS file service. However, the (NT or XP) client also tries good old NBT on tcp/137 at the same time, which seems to work just as well with just a little more overhead.
Port/445 must be the most buggy port of any in the Microsoft software. Watch any Internet connection, and you can see continuous worm traffic on this port trying to hack into your system. It is estimated the average life expectancy of any unpatched XP system connected to the Internet is about 20 minutes, and it is almost always tcp/445 that gets it.
I would recommend yes, block it.
Kevin Dorrell
Luxembourg
09-12-2004 11:00 PM
Thanks very much for both responses.
Previously I had blocked this port (445) on our 100Mb internet link both incoming and outgoing to prevent infections, as per most Cisco web examples.(Also 135 -139).
The interior network is different as we are a core service for all the schools and public services depts (we are a local County Council). Basically we operate one large LAN using many vlans , but with traffic only travaersing our Pix's when they need the internet.
Thanks again , I will keep an eye on any issues that appear ...
09-12-2004 11:23 PM
You can find some stuff about these protocols in:
I hope you find this useful. If so, please don't forget to fill in the "solved" and "rate this post" fields.
Thanks in advance.
Kevin Dorrell
Luxembourg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide