At 07:26 PM 8/1/2001, Delaney, Gavin J (EASD, IT) wrote:
>Dave,
>Restricting tcp/port80 initiated outbound connections from the DMZ is an
>reasonable approach.

actually restricting tcp:80 outgoing won't stop the worm from spreading.
the worm itself never uses port 80 for outgoing traffic. it will just
connect to port 80 but the port on the attacking machine is some regular
outgoing port ( > 1024).

so one had to
deny tcp from server to any 80

cheerz
   corecode

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]