07-10-2004 01:12 AM - edited 03-09-2019 08:01 AM
How can I block Sasser Traffic from outside to inside on PIX Firewall and Core router ?
How can I mitigate DDoS problem on Switch port ?
07-10-2004 11:40 PM
Hi khan..
try blocking the following ports on the PIX/Core router. TCP 445 / TCP 9996 / TCP 5554. its always better to block these using good anti virus softwares or IDS. try blocking these ports and let us know if it solves ur problem
Raj
07-10-2004 11:57 PM
Hi Raj
The mentioned tcp ports are already blocked on the same time during the attack.
07-11-2004 10:13 AM
May be it is a variant of Sasser and working on some other port!
on the core router try enabling "ip route-cache flow" on the inside interface, then run "show ip cache flow"
and see the traffic pattern. find out the DST port (it is in HEX, so convert it to Decimal)
Thanks
Nadeem
07-23-2004 08:59 PM
Sasser, uses SMB Shares to spread, and could be well guarded only through a good Security Policy about brining external Laptops etc. to network, using a good Antivirus at all levels (I will prefer, TrendMicro provided you really configure it well) and NIDS and HIDS. Any loophole in this could land up in the infections.
Firewall specially PIX plays a little less role in blocking Sasser as only required ports on the PIX are open from Outside to Inside.
All the Best!
Wilson Samuel
07-24-2004 10:52 PM
Check the show conn output on the PIX and it will give you a list of connections going through it. You can then easily see which ports are being used.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide