The router ACL solution really depends upon the size and design of your network. For example I am currently employed at a VERY large network (Read as one of the single largest in the US). When code red II hit us inside our perimeter we used router ACLs to block port 80 in its entirety in our Intranet (We have proxies for valid traffic). However we could not implement any more additional ACL's, especially ACL's that did any type of packet inspection at a more detailed level. That would have been VERY detrimental to our networks health. We did try to do additional router ACLs and sure enough the entire router ground to a halt. With time and patience we managed to contain and eradicate. ACLs on 80 helped but was only a small subset of the solution. When you are in an environment as big as ours normal solutions usually won't cut the mustard :{ It is a very good solution but one that will not work in every environment (Trust me I wish it did) --TCroc ----- Original Message ----- From: "Jose Nazario" <joseat_private> To: "Gert-Jan Hagenaars" <blenderat_private> Cc: <vuln-devat_private> Sent: Friday, September 07, 2001 2:47 PM Subject: Re: a real way to stop an http based worm > On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote: > > > Can this be done on the web-proxy boxes that the ISPs have on their > > networks? I.e. dunk anything that looks for "/default.ida?blah"? > > yep. reverse proxies can be configured to do this. and cisco ACLs can > already reset/block such connections i believe. > > in short a good idea, and one that can already be implemented. > > ____________________________ > jose nazario joseat_private > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > >
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 17:32:32 PDT