ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32 /Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
CraigS at caamb.mb.ca
Tue Aug 12 20:27:27 GMT 2003
The source packets are from outside your ISP's address range?
craigs at caamanitoba.com
From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com]
Sent: 12-Aug-03 15:02
To: 'General DShield Discussion List'
Subject: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast,
Lovesun) WAS: RE: [Dshield] DCOM morning after
Johannes, et al.
list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Tuesday, August 12, 2003 5:02 PM: on behalf of: Johannes Ullrich
[jullrich at euclidian.com]
| Many ISPs block port 135 now. Some extended this block
| to 4444 (worm remote shell) and 69 (tftp).The amount
| of traffic you are seeing will depend very much on how
| these blocks are implemented. Many ISPs can not block
| traffic between their subscribers, but only traffic
| to/from the outside.
In order to protect its customers from Lovsan (AKA: MSBlast, Poza,
Blaster, W32/Msblast, Lovesun) threat my ISP informs it has started
TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445
in its network as [reportedly] recommended by the Finnish Communications
Filtering started and customers were informed presumably August 12,
Still see quite a few hit attempts targeted especially to port 135
(Service: RPC Remote Procedure Call, Transport: TCP (flags:S)).
Also still, see a few hit attempts targeted to port 445
(Service: MSFT DS, SMB Server Message Block, Transport: TCP (flags:S)).
Still also, see very few hit attempts targeted to port 139
(NETBIOS Session Service, Transport: TCP (flags:S)).
In this ISP's case it would appear [as a rule] that these types of
traffic (ports 135, 139 and 445 above) originating from other customers
of this same ISP is indeed filtered well (or has stopped for other
reason(s)), but traffic from "outside" is still seen.
In the info to customers (presumably by the communication department
people of the ISP) the wording used, is that
the ISP "has closed access to UDP/TCP ports 135, 139 and 445".
The info also explains that "the closing of these ports affect the
traffic of those customers, who use 'file and printer sharing in
Microsoft networks'. The closing of these ports affects also use of
Linux' Samba program."
What should one conclude regarding the alleged filtering (or "closing
Why still seeing these hit attempts from "outside" (only)?
Thanks in advance for enlightenment.
"To handle silence is more difficult than to handle words."
Georges Clemenceau (1841-1929); French politician.
SOURCE (for worm/virus name and its aliases):
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list