Hello All,\n\nI am basically asking for your comments on a little tutorial I have written\non how to block (or at least slow down) the MyDoom virus using a Cisco\nrouter.\n\nOh my website front page [URL]http://www.jlsnet.co.uk/[/URL] (or see below) I have\nwritten what I think are a few possibilities on how to block three aspects\nof the virus, namely Blocking ports 3127 - 3198, blocking kazaa on ports\nudp/tcp 1214, and blocking unauthorised SMTP servers.\n\nI would greatly appreciate your comments on this tutorial, whether you think\nthat I am on the right tracks with this, or if you have any other comments\nor tips to help block MyDoom\n\nI am still really a cisco beginner and have started this site to help the\naverage beginner cisco home network user like me, as at times the Cisco site\ncan get a bit overwhelming.\n\nthank you for you help,\n\nJim\n\nCopy from my website...\n=================================\n\nFor all those looking for a way in which to block the W32/MyDoom (and\nCousins) virus which is spreading fast across the internet, as far as I know\nthere is not really any way in which you can use a Cisco router to block the\nactual virus transported within emails, in the same way in that there was no\neasy way to block the W32/Swen virus a few months ago. But you can block\nsome of its actions. Looking at the F-Secure virus description .....\n"Mydoom is a worm that spreads over email and Kazaa p2p network."\nand\n"This file will sequentially open TCP ports from 3127 to 3198, listening on\nthem for incoming connections. One of the possibilities this backdoor offers\nis to receive an additional executable and run it on the already infected\nmachine. "\nSo, blocking Kazaa which uses port 1214 and blocking ports 3127 - 3198 may\nbe one idea...\n\n# Block Kazaa File Sharing\naccess-list 101 deny tcp any any eq 1214\naccess-list 101 deny udp any any eq 1214\n# Block MyDoom Ports\naccess-list 101 deny tcp any any range 3127 3198\n\n# Allow all other traffic\naccess-list 101 permit ip any any\n\nThe config above will block all traffic, to and from any ip address (0.0.0.0\n255.255.255.255) using the specific ports used by MyDoom. Since one other\nway that MyDoom propagates itself is via mass emailing, one other thing you\ncould do is block all unauthorised traffic to unknown SMTP (Small Mail\nTransfer Protocol) servers. Allowing only mail to be sent through a handfull\nof known servers..\n\n# Block Unauthorised SMTP\naccess-list 101 deny tcp any any eq 25\n# Allow Authorised SMTP Server Only\naccess-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x 25\n\nWhere x.x.x.x are the IP/NetMask addresses of the authorised SMTP server and\nthe network addresses of the network.\n\nnow apply this to your external interface...\ninterface Ethernet0/1\nip access-group 101 out\nip access-group 101 in\n\nYou may also want to add "log" to the end of the access-list statements\nabove, so you can see whether or not the virus is active and attempting to\nuse these ports. Be aware that the ports 3127 - 3198 may be used for\nlegitimate traffic, in which case this solution would cause problems.\nPlease note: I do not claim to be an expert and this is by no means THE\nsolution to blocking the virus, it is only a quick workaround to part of the\nproblem. The best way to block such email viruses would be to block them at\ntheir source, i.e. the Email servers.