People might want to try the following configuration for their cisco routers. AFAIK it requires IOS 12.1(5)T or later, but it should block most of it routerside - tho this is unlikely to stop your bandwidth getting hammered - unless you can get your upstream to do it... ---> ! ip cef ! class-map match-any code_red match protocol http url "*.ida*" match protocol http url "*.exe*" ! ! policy-map tag_code_red class code_red set ip dscp 1 ! ! interface <int facing isp> service-policy input tag_code_red ! interface <int facing your network> access-group 105 out ! access-list 105 deny ip any any dscp 1 access-list 105 permit ip any any <---- thanks Andrew > -----Original Message----- > From: Brett Glass [mailto:brettat_private] > Sent: 19 September 2001 18:14 > To: jforsterat_private > Cc: incidentsat_private > Subject: Re: nimda tries to send mail after reboot > > > Messages bearing the worm are starting to trickle in, slowly. It > may be that the worm is designed to start e-mailing only after the > infection is a certain number of hours old. > > Sadly, the copies of the worm we're receiving are coming from > companies whose employees we'd expect to know better than to > leave machines unprotected -- such as V-One and SCO. > > I agree that it will be a very long week. None of our machines > is susceptible to the worm, but our backbone feed is getting > hammered. I wish we had a firewall under our control at our > upstream provider. > > --Brett Glass > > At 11:08 AM 9/19/2001, jforsterat_private wrote: > > >I got a few copies of this worm (via e-mail) this afternoon. > >Sadly, someone else in the office did as well (or hit an > infected site). > >It's going to be a long week.... > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 10:36:58 PDT