Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

W32.Blaster.Worm and high cpu utilization

Attack of blaster.worm from lan cause router's cpu utilization reaches 70%-80%, besides intalling patches on affected pcs, is there any other work around on cisco router or switch to filter such viruses?

7 REPLIES
New Member

Re: W32.Blaster.Worm and high cpu utilization

Make an inbound access-list to block all ports used by the virus and then permit all other traffic. Then apply the access-list on all the interfaces That wil drop the packets before they are proccessed and wil lower your cpu load.

New Member

Re: W32.Blaster.Worm and high cpu utilization

Block tcp/udp port 135 inbound, also block udp port 69 (tftp)in and outbound. Once a port 135 connection has been established the worm opens up a remote shell on tcp port 4444 (this can be changed in the bug code, so it won't really do any good to block it), and uses it to download the actual worm via tftp (udp port 69).

Re: W32.Blaster.Worm and high cpu utilization

When the blaster virus executes, it does a DOS attack on windowsupdate.com on port 80. It sends continously 40 byte packets at 20 ms intervals. This can cause a sudden increase in network traffic.

It also scans randmom IPs and look for vulnerable systems on TCP port 135. It also attempts to exploit the DCOM RPC routine vulnerability on the found systems and creates a remote shell on TCP port 4444 and then pass a TFTP command to download the worm to the windows system directory and execute itself.

It also listens on random TCP ports (20 sequential ports). The range of ports it listens on 2500 to 2520, 2501 to 2521 or 2502 to 2522. The purpose of this action is unknown.

So the ports you should be looking to block.

TCP port 135.

TCP port 4444

UDP port 69 for tftp.

TCP ports 2500 to 2522 (optional)

Also to prevent the DOS attack on Windowsupdate.com, block all packets going to 204.79.188.12.

Hope that helps!

New Member

Re: W32.Blaster.Worm and high cpu utilization

This is what i resolve for windows update site

www.windowsupdate.com = 207.46.249.61

v4.windowsupdate.microsoft.com (uses this address, when you click "windows update" in Internet Explorer = 65.54.249.254

windowsupdate.com = 204.79.188.11,12

New Member

Re: W32.Blaster.Worm and high cpu utilization

Thanks a lot for your help, guys!

New Member

Re: W32.Blaster.Worm and high cpu utilization

Can you tell me what is it about windowsupdate.com that I have to block out on my ACL. Is it to stop affected machines from sending DOS attack to windowsupdate.com?

Re: W32.Blaster.Worm and high cpu utilization

yes, the affected machines send at 20 ms rate packets to windowsupdate.com, which could cause a sudden increase in network traffic.

233
Views
0
Helpful
7
Replies