BCP for ISP to block worms at PEs and NAS
John Kristoff
jtk at northwestern.edu
Sun Apr 17 19:04:06 UTC 2005
On Sun, 17 Apr 2005 13:28:21 +0200
Kim Onnel <karim.adel at gmail.com> wrote:
> I have the ACL below applied on many network devices to block the
> common worms ports,
Beware, you are guaranteed to be blocking other, legitimate things
too with some of these rules. More below.
> ip access-list extended worms
> deny tcp any any eq 5554
Whatever worm you're trying to mitigate above (sasser?), you will
also be occasionally be taking out TCP sessions that happen to be
using that port. Most commonly where one side uses 5554 as it's
ephemeral port.
> deny tcp any any range 135 139
> deny udp any any range 135 netbios-ss
> deny tcp any any eq 445
> deny udp any any eq 1026
Similar as before, you are going to be removing some legitimate
traffic. With UDP ephemeral ports this may most likely be DNS and
NTP traffic.
Note, many people do what you do all the time to the detriment of
both real security and robustness in my opinion, but it's your net
and you can throw away random packets if you want to.
Perhaps set the rules to permit and log first, let it run for awhile
and then see what you'll be missing.
John
More information about the NANOG
mailing list