This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (WiNG)
- Can we stop WannaCry from being spread across netw...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can we stop WannaCry from being spread across network?
Can we stop WannaCry from being spread across network?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-16-2017 11:04 AM
WannCry ransomware worm gets through SMB and other protocols.
There is a possible way to block these commands using ACL rule as follows:
ip access-list BROADCAST-MULTICAST-CONTROL
IP ACL shall be then used on every WLAN in outbound direction and optionally on physical interfaces also.
Some more details on web
Regards,
Ondrej
There is a possible way to block these commands using ACL rule as follows:
ip access-list BROADCAST-MULTICAST-CONTROL
- permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
- permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
- deny tcp any eq 445 any eq 445 rule-precedence 17 rule-description "deny SMB Traffic"
- deny tcp any eq 139 any eq netbios-ssn rule-precedence 18 rule-description "deny SMB Traffic"
- deny tcp any eq 137 any eq netbios-ns rule-precedence 19 rule-description "deny SMB Traffic"
- deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios"
- deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
- deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
- permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
IP ACL shall be then used on every WLAN in outbound direction and optionally on physical interfaces also.
Some more details on web
Regards,
Ondrej
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-17-2017 10:41 AM
Update:
Find some explanation, example:
Client A (XP) connects to Server B (2K8) over port 445. Since it's a TCP connection, Server B needs to be able to contact Client A over a port...the port used will be an ephemeral port (1025-5000 for WinXP & 2K3, 49blah-65535 for Vista & 2K8+). RPC also happens to use these ports. Client A connects to Server B over port 135 (the RPC endpoint mapper). Server B then connects to Client A over it's ephemeral port (lets say 1134) and tells it to use port 49278 for this RPC connection. All future communications between Server B and Client A will be over port 49278 going to the server, and 1134 going to the client.
So ports 137-139 and 445 is blocked only "outbound direction" because in this direction AD use higher ephemeral ports?
Am I right or not?
Thank you!
Find some explanation, example:
Client A (XP) connects to Server B (2K8) over port 445. Since it's a TCP connection, Server B needs to be able to contact Client A over a port...the port used will be an ephemeral port (1025-5000 for WinXP & 2K3, 49blah-65535 for Vista & 2K8+). RPC also happens to use these ports. Client A connects to Server B over port 135 (the RPC endpoint mapper). Server B then connects to Client A over it's ephemeral port (lets say 1134) and tells it to use port 49278 for this RPC connection. All future communications between Server B and Client A will be over port 49278 going to the server, and 1134 going to the client.
So ports 137-139 and 445 is blocked only "outbound direction" because in this direction AD use higher ephemeral ports?
Am I right or not?
Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-17-2017 05:37 AM
Nice thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-17-2017 04:07 AM
Hi,
thank you for the information. Any idea, if Windows CE / Windows Mobile devices also effect? I think based on the different hardware architecture maybe not, but can't find any information about it.
BR Timo
thank you for the information. Any idea, if Windows CE / Windows Mobile devices also effect? I think based on the different hardware architecture maybe not, but can't find any information about it.
BR Timo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-17-2017 04:07 AM
Hi, Thank you. I also get some feedback from ZEBRA, that Windows CE / Mobile not affected. BR Timo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-17-2017 04:07 AM
Hey Timo,
I cannot be official in answer, but doing some research you might find this document on CERT.EUROPA.EU website.
See page 3, Products Affected
Regards,
Ondrej
I cannot be official in answer, but doing some research you might find this document on CERT.EUROPA.EU website.
See page 3, Products Affected
Regards,
Ondrej
