Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

W32/SQLSlammer worm

Have other people had success with the 1434 tcp/udp acl lists? I don't seem to be getting a comfortable block either with inbound or outbound and have tried applying to both main interface and subinterfaces. Though I am picking up the offending ip's in my logs, traffic is still way above average for a Sunday....

4 REPLIES

Re: W32/SQLSlammer worm

I know a few people who are blocking it fine that way and I'm blocking it here at home but my hits are no where what they are seeing.

How is your access-list defined and applied? Is it on your edge/internet routers? Perhaps some machines are infected in your network already and this is where the traffic is coming from you are seeing.

If you do 'show access-list' on the router you should hits on the deny 1434 statement.

URLs for reference on this worm:

http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml

http://www.cisco.com/warp/public/707/cisco-sn-20030125-worm.shtml

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp

Community Member

Re: W32/SQLSlammer worm

This is what seems to be working best, some interfaces are still passing more traffic than I would like to see. I have tried to apply "out" on wan links that seem to be more saturated than usual (possibly indicating site infection) but this only seems to make the router sluggish

interface Serial2/0/1

ip access-group ms-sql in

interface Vlan2

ip access-group ms-sql in

ip access-list extended ms-sql

deny tcp any any eq 1434 log

deny tcp any any eq 1433 log

deny udp any any eq 1433 log

deny udp any any eq 1434 log

permit ip any any

Re: W32/SQLSlammer worm

You may want to remove the log option if you're getting hit hard or change it to log-input.

Community Member

Re: W32/SQLSlammer worm

Thanks, I went to the VACL's on the 6000 switches and this helped on the problem children.

130
Views
0
Helpful
4
Replies
CreatePlease to create content