[unisog] Are cisco router VLAN ACL's stateful like a PIX?

James Riden j.riden at massey.ac.nz
Tue Feb 1 23:03:13 GMT 2005


Michael Holstein <michael.holstein at csuohio.edu> writes:

>> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
>> neat trick.  You must have your voodoo filters turned up to 'more magic'.
>
> Nope .. earlier versions of (was it Blaster or Nachi .. I forget?)
> would ping-sweep a network so as not to "waste" tcp packets on dead
> hosts (because NT has a limit on the number of 'half-open' tcp
> sockets). This in turn generated massive amounts of ICMP which many of
> us reflexively blocked -- and never found good cause to reactivate.

Nachi used fast ping sweeps; I think that Blaster only sent TCP SYNs.

Anyway the original Nachi deactivated as of 1/1/2004 and the current
problem viruses such as Sasser and Korgo, and manually initiated
PhatBot/RxBot scans do not use ping sweeps of any kind. 

-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




More information about the unisog mailing list