[unisog] Are cisco router VLAN ACL's stateful like a PIX?
j.riden at massey.ac.nz
Tue Feb 1 23:03:13 GMT 2005
Michael Holstein <michael.holstein at csuohio.edu> writes:
>> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
>> neat trick. You must have your voodoo filters turned up to 'more magic'.
> Nope .. earlier versions of (was it Blaster or Nachi .. I forget?)
> would ping-sweep a network so as not to "waste" tcp packets on dead
> hosts (because NT has a limit on the number of 'half-open' tcp
> sockets). This in turn generated massive amounts of ICMP which many of
> us reflexively blocked -- and never found good cause to reactivate.
Nachi used fast ping sweeps; I think that Blaster only sent TCP SYNs.
Anyway the original Nachi deactivated as of 1/1/2004 and the current
problem viruses such as Sasser and Korgo, and manually initiated
PhatBot/RxBot scans do not use ping sweeps of any kind.
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the unisog