cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
492
Views
0
Helpful
7
Replies

W32.Blaster.Worm and high cpu utilization

zhang-hao
Level 1
Level 1

Attack of blaster.worm from lan cause router's cpu utilization reaches 70%-80%, besides intalling patches on affected pcs, is there any other work around on cisco router or switch to filter such viruses?

7 Replies 7

r.sneekes
Level 1
Level 1

Make an inbound access-list to block all ports used by the virus and then permit all other traffic. Then apply the access-list on all the interfaces That wil drop the packets before they are proccessed and wil lower your cpu load.

forbesl
Level 1
Level 1

Block tcp/udp port 135 inbound, also block udp port 69 (tftp)in and outbound. Once a port 135 connection has been established the worm opens up a remote shell on tcp port 4444 (this can be changed in the bug code, so it won't really do any good to block it), and uses it to download the actual worm via tftp (udp port 69).

thisisshanky
Level 11
Level 11

When the blaster virus executes, it does a DOS attack on windowsupdate.com on port 80. It sends continously 40 byte packets at 20 ms intervals. This can cause a sudden increase in network traffic.

It also scans randmom IPs and look for vulnerable systems on TCP port 135. It also attempts to exploit the DCOM RPC routine vulnerability on the found systems and creates a remote shell on TCP port 4444 and then pass a TFTP command to download the worm to the windows system directory and execute itself.

It also listens on random TCP ports (20 sequential ports). The range of ports it listens on 2500 to 2520, 2501 to 2521 or 2502 to 2522. The purpose of this action is unknown.

So the ports you should be looking to block.

TCP port 135.

TCP port 4444

UDP port 69 for tftp.

TCP ports 2500 to 2522 (optional)

Also to prevent the DOS attack on Windowsupdate.com, block all packets going to 204.79.188.12.

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

This is what i resolve for windows update site

www.windowsupdate.com = 207.46.249.61

v4.windowsupdate.microsoft.com (uses this address, when you click "windows update" in Internet Explorer = 65.54.249.254

windowsupdate.com = 204.79.188.11,12

Thanks a lot for your help, guys!

Can you tell me what is it about windowsupdate.com that I have to block out on my ACL. Is it to stop affected machines from sending DOS attack to windowsupdate.com?

yes, the affected machines send at 20 ms rate packets to windowsupdate.com, which could cause a sudden increase in network traffic.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco