Re: Sasser Worm Attack ? How can I block ?

akhan2004 · ‎07-10-2004

How can I block Sasser Traffic from outside to inside on PIX Firewall and Core router ?

How can I mitigate DDoS problem on Switch port ?

sachinraja · ‎07-10-2004

Hi khan..

try blocking the following ports on the PIX/Core router. TCP 445 / TCP 9996 / TCP 5554. its always better to block these using good anti virus softwares or IDS. try blocking these ports and let us know if it solves ur problem

Raj

akhan2004 · ‎07-10-2004

Hi Raj

The mentioned tcp ports are already blocked on the same time during the attack.

nkhawaja · ‎07-11-2004

May be it is a variant of Sasser and working on some other port!

on the core router try enabling "ip route-cache flow" on the inside interface, then run "show ip cache flow"

and see the traffic pattern. find out the DST port (it is in HEX, so convert it to Decimal)

Thanks

Nadeem

swilson · ‎07-23-2004

Sasser, uses SMB Shares to spread, and could be well guarded only through a good Security Policy about brining external Laptops etc. to network, using a good Antivirus at all levels (I will prefer, TrendMicro provided you really configure it well) and NIDS and HIDS. Any loophole in this could land up in the infections.

Firewall specially PIX plays a little less role in blocking Sasser as only required ports on the PIX are open from Outside to Inside.

All the Best!

Wilson Samuel

techmandude · ‎07-24-2004

Check the show conn output on the PIX and it will give you a list of connections going through it. You can then easily see which ports are being used.