(RADIATOR) MAx TNT & MSBlast

Kevin McKee kevin at nw-tel.com
Tue Aug 26 18:16:24 CDT 2003


Well, the ascend-users list is kinda dead and hasn't been archived anywhere in a while.  But, if you are running TNTs, here is the filter information to block MSBlast and ICMP packets before they hit the Ethernet port.

-Kevin- 
------------------------------------
Filter MS Blaster worm traffic 

Solution ID: csas29040 Domain: csas
Solution Class: 3.X Compatibility Incident Count: 9
Owner: gsantos [Greg Santos] Type: How To
Status: Internal Partition: Access
Author: gsantos [Greg Santos] Date Created: 08/19/2003
Modified By: gsantos [Greg Santos] Date Modified: 08/21/2003
Shared: Yes Review Team (CSAS): None [No Value]
Title: Filter MS Blaster worm traffic

Goal: Filter MS Blaster worm traffic
Fact: CERT Advisory CA-2003-20 W32/Blaster worm
Fix: Make sure that this filter does not block any critical or necessary ports. This is based on the CERT advisory which should be read before applying this filter. See <a href="http://www.cert.org/advisories/CA-2003-20.html">http://www.cert.org/advisories/CA-2003-20.html</a>.
Users currently connected will not have the filter applied to their sessions. Only new connections will have the filter applied. If possible, it is best to reset the unit or the ingress card so users will be dropped and forced to reconnect. This filter only filters traffic from clients that may already be infected, it does not protect clients from external (internet) based probes. If the egress is an Ethernet port, it may be necessary to apply the filter to the ether port. See the note at the end of this solution for details. Input-filter 9 is not part of the CERT advisory, but has been seen to improve performance on networks suffering from the blaster worm. This filter blocks ICMP, which may not be a desired result. If ICMP traffic must be passed, simply change set input-filters 9 valid-entry = no Cut and paste the following to set up the filter.


new FILTER
set filter-name = msbclient
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 17
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 69
;
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 6
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 4444
;
set input-filters 3 valid-entry = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 17
set input-filters 3 ip-filter Dst-Port-Cmp = eql
set input-filters 3 ip-filter dest-port = 135
;
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 6
set input-filters 4 ip-filter Dst-Port-Cmp = eql
set input-filters 4 ip-filter dest-port = 135
;
set input-filters 5 valid-entry = yes
set input-filters 5 Type = ip-filter
set input-filters 5 ip-filter protocol = 6
set input-filters 5 ip-filter Dst-Port-Cmp = eql
set input-filters 5 ip-filter dest-port = 139
;
set input-filters 6 valid-entry = yes
set input-filters 6 Type = ip-filter
set input-filters 6 ip-filter protocol = 17
set input-filters 6 ip-filter Dst-Port-Cmp = eql
set input-filters 6 ip-filter dest-port = 139
;
set input-filters 7 valid-entry = yes
set input-filters 7 Type = ip-filter
set input-filters 7 ip-filter protocol = 6
set input-filters 7 ip-filter Dst-Port-Cmp = eql
set input-filters 7 ip-filter dest-port = 445
;
set input-filters 8 valid-entry = yes
set input-filters 8 Type = ip-filter
set input-filters 8 ip-filter protocol = 17
set input-filters 8 ip-filter Dst-Port-Cmp = eql
set input-filters 8 ip-filter dest-port = 445
;
set input-filters 9 valid-entry = yes
set input-filters 9 Type = ip-filter
set input-filters 9 ip-filter protocol = 1
;
set input-filters 10 valid-entry = yes
set input-filters 10 forward = yes
write -f
;
read answer-defaults
set use-answer-for-all-defaults = yes
set session-info data-filter = msbclient
wr -f
 

Note: This filter may also be applied to ethernet interfaces as well. Usethe following script.

read ethernet {x x x}
set filter-name = msbclient
write -f



More information about the radiator mailing list