01-26-2003 09:14 AM - edited 03-02-2019 04:32 AM
Have other people had success with the 1434 tcp/udp acl lists? I don't seem to be getting a comfortable block either with inbound or outbound and have tried applying to both main interface and subinterfaces. Though I am picking up the offending ip's in my logs, traffic is still way above average for a Sunday....
01-26-2003 11:37 AM
I know a few people who are blocking it fine that way and I'm blocking it here at home but my hits are no where what they are seeing.
How is your access-list defined and applied? Is it on your edge/internet routers? Perhaps some machines are infected in your network already and this is where the traffic is coming from you are seeing.
If you do 'show access-list' on the router you should hits on the deny 1434 statement.
URLs for reference on this worm:
http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml
http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp
01-26-2003 02:29 PM
This is what seems to be working best, some interfaces are still passing more traffic than I would like to see. I have tried to apply "out" on wan links that seem to be more saturated than usual (possibly indicating site infection) but this only seems to make the router sluggish
interface Serial2/0/1
ip access-group ms-sql in
interface Vlan2
ip access-group ms-sql in
ip access-list extended ms-sql
deny tcp any any eq 1434 log
deny tcp any any eq 1433 log
deny udp any any eq 1433 log
deny udp any any eq 1434 log
permit ip any any
01-26-2003 03:42 PM
You may want to remove the log option if you're getting hit hard or change it to log-input.
01-28-2003 11:32 AM
Thanks, I went to the VACL's on the 6000 switches and this helped on the problem children.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide