Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL on 6509 native IOS

The 6509 is suffering the SQL Slammer Worm Attack , I want to use the ACL to block udp port 1434,

M-NS-6509-A#sh ip access-list 120

Extended IP access list 120

deny udp any any eq 1434 (2396970 matches)

permit ip any any (262219 matches)

interface FastEthernet3/17

description TongYiWangLuo(IW000217)

ip address

ip access-group 120 in

but i found it seems useless although i can find the matches in show ip access-list 120, because i can still find there are larger number of flows assoctiated with this attack by openning the netflow switching. and the input rate of the interface fa3/17 are still abnormal (very high, 40Mbit/s). what's the problem is?




Cisco Employee

Re: ACL on 6509 native IOS

It's possible some of your internal hosts are already infected, and are originating a lot of this traffic outbound. You only have this ACL applied to traffic coming in from the Internet, try applying it inbound on your inside interfaces and see if that stops your internal hosts as well.

New Member

Re: ACL on 6509 native IOS

The Fastethernt 3/17 is the port connected to the internal network and hosts. And the ACL applied to the port is used to block the the internal hosts.

Cisco Employee

Re: ACL on 6509 native IOS

Not sure on the flows, but the input rate will still be high unless you actually fix up the machines that are infected. Just applying the ACL on the interface to block it simply prevents the worm from spreading further, but those machines are still going to be sending out a lot of packets until you fix them up.

CreatePlease to create content