Well, the ascend-users list is kinda dead and hasn't been archived anywhere in a while. But, if you are running TNTs, here is the filter information to block MSBlast and ICMP packets before they hit the Ethernet port.
-Kevin- ------------------------------------ Filter MS Blaster worm traffic Solution ID: csas29040 Domain: csas Solution Class: 3.X Compatibility Incident Count: 9 Owner: gsantos [Greg Santos] Type: How To Status: Internal Partition: Access Author: gsantos [Greg Santos] Date Created: 08/19/2003 Modified By: gsantos [Greg Santos] Date Modified: 08/21/2003 Shared: Yes Review Team (CSAS): None [No Value] Title: Filter MS Blaster worm traffic Goal: Filter MS Blaster worm traffic Fact: CERT Advisory CA-2003-20 W32/Blaster worm Fix: Make sure that this filter does not block any critical or necessary ports. This is based on the CERT advisory which should be read before applying this filter. See <a href="http://www.cert.org/advisories/CA-2003-20.html";>http://www.cert.org/advisories/CA-2003-20.html</a>. Users currently connected will not have the filter applied to their sessions. Only new connections will have the filter applied. If possible, it is best to reset the unit or the ingress card so users will be dropped and forced to reconnect. This filter only filters traffic from clients that may already be infected, it does not protect clients from external (internet) based probes. If the egress is an Ethernet port, it may be necessary to apply the filter to the ether port. See the note at the end of this solution for details. Input-filter 9 is not part of the CERT advisory, but has been seen to improve performance on networks suffering from the blaster worm. This filter blocks ICMP, which may not be a desired result. If ICMP traffic must be passed, simply change set input-filters 9 valid-entry = no Cut and paste the following to set up the filter. new FILTER set filter-name = msbclient set input-filters 1 valid-entry = yes set input-filters 1 Type = ip-filter set input-filters 1 ip-filter protocol = 17 set input-filters 1 ip-filter Dst-Port-Cmp = eql set input-filters 1 ip-filter dest-port = 69 ; set input-filters 2 valid-entry = yes set input-filters 2 Type = ip-filter set input-filters 2 ip-filter protocol = 6 set input-filters 2 ip-filter Dst-Port-Cmp = eql set input-filters 2 ip-filter dest-port = 4444 ; set input-filters 3 valid-entry = yes set input-filters 3 Type = ip-filter set input-filters 3 ip-filter protocol = 17 set input-filters 3 ip-filter Dst-Port-Cmp = eql set input-filters 3 ip-filter dest-port = 135 ; set input-filters 4 valid-entry = yes set input-filters 4 Type = ip-filter set input-filters 4 ip-filter protocol = 6 set input-filters 4 ip-filter Dst-Port-Cmp = eql set input-filters 4 ip-filter dest-port = 135 ; set input-filters 5 valid-entry = yes set input-filters 5 Type = ip-filter set input-filters 5 ip-filter protocol = 6 set input-filters 5 ip-filter Dst-Port-Cmp = eql set input-filters 5 ip-filter dest-port = 139 ; set input-filters 6 valid-entry = yes set input-filters 6 Type = ip-filter set input-filters 6 ip-filter protocol = 17 set input-filters 6 ip-filter Dst-Port-Cmp = eql set input-filters 6 ip-filter dest-port = 139 ; set input-filters 7 valid-entry = yes set input-filters 7 Type = ip-filter set input-filters 7 ip-filter protocol = 6 set input-filters 7 ip-filter Dst-Port-Cmp = eql set input-filters 7 ip-filter dest-port = 445 ; set input-filters 8 valid-entry = yes set input-filters 8 Type = ip-filter set input-filters 8 ip-filter protocol = 17 set input-filters 8 ip-filter Dst-Port-Cmp = eql set input-filters 8 ip-filter dest-port = 445 ; set input-filters 9 valid-entry = yes set input-filters 9 Type = ip-filter set input-filters 9 ip-filter protocol = 1 ; set input-filters 10 valid-entry = yes set input-filters 10 forward = yes write -f ; read answer-defaults set use-answer-for-all-defaults = yes set session-info data-filter = msbclient wr -f Note: This filter may also be applied to ethernet interfaces as well. Usethe following script. read ethernet {x x x} set filter-name = msbclient write -f >From Cert Advisory 2003-20 Filter network traffic Sites are encouraged to block network access to the following relevant ports at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include * 69/UDP * 135/TCP * 135/UDP * 139/TCP * 139/UDP * 445/TCP * 445/UDP * 4444/TCP -----Original Message----- From: Dave Birkbeck [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:28 PM To: 'Tony Bunce'; 'Sean Watkins (northrock)'; [EMAIL PROTECTED] Subject: RE: (RADIATOR) MAx TNT & MSBlast All, In addition to having the ACL's that Cisco recommends. Has anyone come up with a Radius ascend-data-filter that will slow down the spread of these crazy viruses? Or better yet, a filter that will block ICMP. Again, I know this is probably not the list for this discussion, but this topic is definitely for the greater good of the Internet. That being said does anyone know of a list that discusses various NAS topics? Thanks, Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Bunce Sent: Friday, August 22, 2003 10:38 AM To: Sean Watkins (northrock); [EMAIL PROTECTED] Subject: RE: (RADIATOR) MAx TNT & MSBlast This problem is actually caused by the "good" blaster worm nachi Nachi pings a host before it trys to spread so it doesn't waist its time on non-existent hosts. The problem is that each one of those pings generates an arp request and with such a high number of pings MAX TNT boxes can't handle the high number of arp request and lock up or reboot The ping has a specific signature, 92byes all AA as the content, that you can create a policy map for Cisco has an article on how to block Nachi ICMP traffic on your inbound router interface http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml Hope that helps Thanks, Tony B, CCNA, Network+ Systems Administration GO Concepts, Inc. / www.go-concepts.com Are you on the GO yet? What about those you know, are they on the GO? 513.934.2800 1.888.ON.GO.YET -----Original Message----- From: Sean Watkins (northrock) [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) MAx TNT & MSBlast Hi, � I know this isn't the place, but any MAX TNT users out there seeing weird card failures begining with the onslaught of MSBlast? I saw a news.com article about it... however I can't find any more info. Anyone know of any�active ascend /�lucent�tnt�mailing lists?� � Sean � Article Text: � In addition, network administrators reported on a newsgroup that telecommunications equipment maker Lucent Technologies' TNT MAX network gateway crashed due to some interaction with traffic created by the MSBlast worms. A representative for the company confirmed that Lucent was investigating the issue, but couldn't supply details. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. ------------------------------------------------------------- This email and the files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender. This footnote also confirms that this email message and attachments have been scanned for the presence of computer viruses. ------------------------------------------------------------- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
