cancel
Showing results for 
Search instead for 
Did you mean: 

Can we stop WannaCry from being spread across network?

Can we stop WannaCry from being spread across network?

Ondrej_Lepa
Extreme Employee
WannCry ransomware worm gets through SMB and other protocols.
There is a possible way to block these commands using ACL rule as follows:

ip access-list BROADCAST-MULTICAST-CONTROL
  • permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
  • permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
  • deny tcp any eq 445 any eq 445 rule-precedence 17 rule-description "deny SMB Traffic"
  • deny tcp any eq 139 any eq netbios-ssn rule-precedence 18 rule-description "deny SMB Traffic"
  • deny tcp any eq 137 any eq netbios-ns rule-precedence 19 rule-description "deny SMB Traffic"
  • deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
  • deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
  • deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
  • permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
Some lines are already there but some shall be added.
IP ACL shall be then used on every WLAN in outbound direction and optionally on physical interfaces also.

Some more details on web

Regards,
Ondrej

10 REPLIES 10

BrandonC
Extreme Employee
Great article, Ondrej!
GTM-P2G8KFN