Hamid-
As great as the desire is to just block access to a port, or oversee all
traffic, sometimes it's just not reasonable to do so. I'm assuming that
you are with an ISP from your reference to customers. Since you really
can't just block 80, as has been suggested, might I suggest a different
approach.
Use of a competent Intrusion Detection System will easily show you the
IP addresses of infected systems. If you take any addresses that are
sending out attacks that belong to your customers and then inform the
customer that they are infected, you could at least let them know that
they need to fix the problem. If they don't you have the option of
turning off their connection, but that is entirely up to you and what
you can do as a business.
As far as Intrusion Detection Systems, you don't need to spend a lot of
money to set one up. There are some great linux/windows based systems
out there that are freeware.
Andras
-----Original Message-----
From: Hamid [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 15, 2001 2:37 AM
To: [EMAIL PROTECTED]
Subject: Re: CODE RED protection ! ! ! [7:15989]
Hi
The problem is that I do have web servers on my network, blocking port
80
would stop these web servers .
Hamid
wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> my company just got hit by code red last week. the only logical thing
to
> deploy on your routers is to block all access to port 80 in and out of
all
> the interfaces by ACL.
>
> Unless you have the luxury of running IOS 12.1 and above on all your
> routers, you will not be able to use NBAR. Deployed the ACLs onto all
> interfaces to control all port 80 traffic.
>
> Use "ip route-cache flow" and "show ip cache flow" on your interfaces
to
> detect the IP addresses that are propagating http traffic to port 80.
You
> will have to look out for port 0050 under destination port when you
perform
> a "show ip cache flow".
>
> Cheers.
>
> ----- Original Message -----
> From: "Dennis Bailey"
> To: [EMAIL PROTECTED]
> Sent: Tue, 14 Aug 2001 15:34:19 -0400
> Subject: Re: CODE RED protection ! ! ! [7:15989]
> Depending upon the router platform you can use NBAR.
>
> I am just really depressed right now because there are costumers
getting
> involved in our business. I knew I wasn't the only one who liked to
get
> dressed up but now think of the pressure that there will be with
> professionals out there......
>
>
> ""Hamid"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi group
> >
> > I have some costumers whom I belive are infected with CODE RED. Any
ideas
> > how I can deny any traffic related to CODE RED on my router?
> >
> > Thanks
> >
> > Hamid
> --
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
________________________________________________________________________
____
____
> Check any e-mail over the Web for free at MailBreeze
> (http://www.mailbreeze.com)
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16159&t=15989
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
