W32/SQLSlammer worm

jeff.funston · ‎01-26-2003

Have other people had success with the 1434 tcp/udp acl lists? I don't seem to be getting a comfortable block either with inbound or outbound and have tried applying to both main interface and subinterfaces. Though I am picking up the offending ip's in my logs, traffic is still way above average for a Sunday....

Erick Bergquist · ‎01-26-2003

I know a few people who are blocking it fine that way and I'm blocking it here at home but my hits are no where what they are seeing.

How is your access-list defined and applied? Is it on your edge/internet routers? Perhaps some machines are infected in your network already and this is where the traffic is coming from you are seeing.

If you do 'show access-list' on the router you should hits on the deny 1434 statement.

URLs for reference on this worm:

http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml

http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp

jeff.funston · ‎01-26-2003

This is what seems to be working best, some interfaces are still passing more traffic than I would like to see. I have tried to apply "out" on wan links that seem to be more saturated than usual (possibly indicating site infection) but this only seems to make the router sluggish

interface Serial2/0/1

ip access-group ms-sql in

interface Vlan2

ip access-group ms-sql in

ip access-list extended ms-sql

deny tcp any any eq 1434 log

deny tcp any any eq 1433 log

deny udp any any eq 1433 log

deny udp any any eq 1434 log

permit ip any any

Erick Bergquist · ‎01-26-2003

You may want to remove the log option if you're getting hit hard or change it to log-input.

jeff.funston · ‎01-28-2003

Thanks, I went to the VACL's on the 6000 switches and this helped on the problem children.