ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Aug 12 20:01:51 GMT 2003


ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast,
Lovesun) WAS: RE: [Dshield] DCOM morning after

Johannes, et al.

list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Tuesday, August 12, 2003 5:02 PM: on behalf of: Johannes Ullrich
[jullrich at euclidian.com]

| 
| Many ISPs block port 135 now. Some extended this block
| to 4444 (worm remote shell) and 69 (tftp).The amount
| of traffic you are seeing will depend very much on how
| these blocks are implemented. Many ISPs can not block
| traffic between their subscribers, but only traffic
| to/from the outside.
| 

In order to protect its customers from Lovsan (AKA: MSBlast, Poza,
Blaster, W32/Msblast, Lovesun) threat my ISP informs it has started
filtering:

TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445

in its network as [reportedly] recommended by the Finnish Communications
Regulatory Authority.

Filtering started and customers were informed presumably August 12,
morning, GMT+3.


Still see quite a few hit attempts targeted especially to port 135
(Service: RPC Remote Procedure Call, Transport: TCP (flags:S)).

Also still, see a few hit attempts targeted to port 445
(Service: MSFT DS, SMB Server Message Block, Transport: TCP (flags:S)).

Still also, see very few hit attempts targeted to port 139
(NETBIOS Session Service, Transport: TCP (flags:S)).


In this ISP's case it would appear [as a rule] that these types of
traffic (ports 135, 139 and 445 above) originating from other customers
of this same ISP is indeed filtered well (or has stopped for other
reason(s)), but traffic from "outside" is still seen.


In the info to customers (presumably by the communication department
people of the ISP) the wording used, is that

the ISP "has closed access to UDP/TCP ports 135, 139 and 445".

The info also explains that "the closing of these ports affect the
traffic of those customers, who use 'file and printer sharing in
Microsoft networks'. The closing of these ports affects also use of
Linux' Samba program."


What should one conclude regarding the alleged filtering (or "closing
ports")?

Why still seeing these hit attempts from "outside" (only)?

Thanks in advance for enlightenment.

Regards,
Peter


     "To handle silence is more difficult than to handle words."
          Georges Clemenceau (1841-1929); French politician.



SOURCE (for worm/virus name and its aliases):
http://www.f-secure.com/v-descs/msblast.shtml





More information about the list mailing list