RE: Possible method to prevent spread of CodeRed and other simila r wo rms

[corecode <corecode () corecode ath cx>]

At 07:26 PM 8/1/2001, Delaney, Gavin J (EASD, IT) wrote:
> Dave,
> Restricting tcp/port80 initiated outbound connections from the DMZ is an
> reasonable approach.

actually restricting tcp:80 outgoing won't stop the worm from spreading.
the worm itself never uses port 80 for outgoing traffic. it will just 
connect to port 80 but the port on the attacking machine is some regular 
outgoing port ( > 1024).

so one had to
deny tcp from server to any 80

cheerz
  corecode


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com