ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Aug 12 21:02:58 GMT 2003


RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Tuesday, August 12, 2003 11:27 PM: on behalf of: Craig Shaw
[CraigS at caamb.mb.ca]

| 
| The source packets are from outside your ISP's address range?
| 


Craig,

Yes, that is correct.

In several cases, the intrusion attempts come from e.g. neighbour
countries (Sweden, Russia) and there is a similarity in the beginning of
the IP address.

The similarity is in the CAPITAL LETTER part (of the following
conceptual IP address) as follows: 

AAA.BBB.ccc.ddd.

All these address ranges are definitely outside that of my ISP's, but
begin the same ("AAA.BBB.").

In many cases, there is no similarity (the entire IP address is
different "aaa.bbb.ccc.ddd"), i.e. no match at all.


Thanks in advance for enlightenment.

Pete


| Craig Shaw
| Systems Administrator
| CAA Manitoba
| (204) 262-6035
| craigs at caamanitoba.com
| 
| 
| -----Original Message-----
| From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com]
| Sent: 12-Aug-03 15:02
| To: 'General DShield Discussion List'
| Subject: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
| 
| ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast,
| Lovesun) WAS: RE: [Dshield] DCOM morning after
| 
| Johannes, et al.
| 
| list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
| Tuesday, August 12, 2003 5:02 PM: on behalf of: Johannes Ullrich
| [jullrich at euclidian.com]
| 
|| 
|| Many ISPs block port 135 now. Some extended this block
|| to 4444 (worm remote shell) and 69 (tftp).The amount
|| of traffic you are seeing will depend very much on how
|| these blocks are implemented. Many ISPs can not block
|| traffic between their subscribers, but only traffic to/from the
|| outside. 
|| 
| 
| In order to protect its customers from Lovsan (AKA: MSBlast, Poza,
| Blaster, W32/Msblast, Lovesun) threat my ISP informs it has started
| filtering:
| 
| TCP/UDP Port 135
| TCP/UDP Port 139
| TCP/UDP Port 445
| 
| in its network as [reportedly] recommended by the Finnish
| Communications Regulatory Authority.
| 
| Filtering started and customers were informed presumably August 12,
| morning, GMT+3.
| 
| 
| Still see quite a few hit attempts targeted especially to port 135
| (Service: RPC Remote Procedure Call, Transport: TCP (flags:S)).
| 
| Also still, see a few hit attempts targeted to port 445
| (Service: MSFT DS, SMB Server Message Block, Transport: TCP
| (flags:S)). 
| 
| Still also, see very few hit attempts targeted to port 139
| (NETBIOS Session Service, Transport: TCP (flags:S)).
| 
| 
| In this ISP's case it would appear [as a rule] that these types of
| traffic (ports 135, 139 and 445 above) originating from other
| customers of this same ISP is indeed filtered well (or has stopped
| for other reason(s)), but traffic from "outside" is still seen.
| 
| 
| In the info to customers (presumably by the communication department
| people of the ISP) the wording used, is that
| 
| the ISP "has closed access to UDP/TCP ports 135, 139 and 445".
| 
| The info also explains that "the closing of these ports affect the
| traffic of those customers, who use 'file and printer sharing in
| Microsoft networks'. The closing of these ports affects also use of
| Linux' Samba program."
| 
| 
| What should one conclude regarding the alleged filtering (or "closing
| ports")?
| 
| Why still seeing these hit attempts from "outside" (only)?
| 
| Thanks in advance for enlightenment.
| 
| Regards,
| Peter
| 
| 
|      "To handle silence is more difficult than to handle words."
|           Georges Clemenceau (1841-1929); French politician.
| 
| 
| 
| SOURCE (for worm/virus name and its aliases):
| http://www.f-secure.com/v-descs/msblast.shtml
| 
| 
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
| http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list