One network manager on the Cisco User Forum said, "We have got a really nasty situation that cropped up after Nimda did its damage to a Web server. The attack drove the router to 100% utilisation, and now the unit won't block TCP 80."
Similar reports are coming from other newsgroups and Cisco has set up an advisory on its Web site.
In security advisories issued after the Code Red attack in July, Cisco recommended turning off port 80, normally used as a last resort for controlling large flows of Internet data. Scott Blake of security consultancy Bindview said, "We have heard a few reports of Cisco products being affected and it sounds like a classic buffer overrun attack due to the huge volumes of traffic generated by the Nimda virus."
Bindview said IOS, the built-in operating system of the affected Cisco products, could be being corrupted, causing anomalous behaviour. "It is unlikely that the virus writers intended this. It is more likely to be a by-product of the virus. Cisco generally makes good kit but, when it is attacked in this way, there is not a lot they can do," said Blake. "All the affected customer can do is to reload IOS and send Cisco a letter complaining about the problem and telling them to do better in the future."