Re: BCP for ISP to block worms at PEs and NAS

[John Kristoff <jtk () northwestern edu>]

On Sun, 17 Apr 2005 13:28:21 +0200
Kim Onnel <karim.adel () gmail com> wrote:

> I have the ACL below applied on many network devices to block the
> common worms ports,

Beware, you are guaranteed to be blocking other, legitimate things
too with some of these rules.  More below.

> ip access-list extended worms
>  deny   tcp any any eq 5554

Whatever worm you're trying to mitigate above (sasser?), you will
also be occasionally be taking out TCP sessions that happen to be
using that port.  Most commonly where one side uses 5554 as it's
ephemeral port.

>  deny   tcp any any range 135 139
>  deny   udp any any range 135 netbios-ss
>  deny   tcp any any eq 445
>  deny   udp any any eq 1026

Similar as before, you are going to be removing some legitimate
traffic.  With UDP ephemeral ports this may most likely be DNS and
NTP traffic.

Note, many people do what you do all the time to the detriment of
both real security and robustness in my opinion, but it's your net
and you can throw away random packets if you want to.

Perhaps set the rules to permit and log first, let it run for awhile
and then see what you'll be missing.

John