Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

SQL Slammer

Hi All

I would like to know whether or not the Cisco IDS can prevent SQL Slammer attack ?

By the way where can look up all Cisco IDS can detect "worm" ?

Thanks in advance


Re: SQL Slammer

Signature 4701 will detect the Slammer worm overflow attack. Preventing the worm is a little tricky to do. The attack is a single UDP packet. So, we cannot perform TCP resets. The only active thing we can do is modifying router/pix ACL's. This is not advisable due to the high number of alarms that the worm causes. You could kill your routers. Documentation for signature 4701 can be found at:

or in the NSDB distibuted with the signature update packages for your mgmt. platform.

New Member

Re: SQL Slammer

Sending TCP resets is indeed not possible in this situation, and actually it isn't the solution you want to prevent TCP-based attacks either since you're never sure if the TCP-reset arrived before or after the packets containing the attack. You really have to make a difference between detecting and preventing: for preventing you need to be in-line, for detecting you have to be everywhere in the network. Use an IDS to find the infected machines (or attacks) in your local network, but use an IPS (I've tested the product mdijken mentioned, it was a refreshing and effective solution) to halt attackers/worms before they enter your network.

New Member

Re: SQL Slammer

There are alternatives which take actions when things like SQL Slammer pass by:

CreatePlease to create content