ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Tue Aug 12 22:31:35 GMT 2003


RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Wednesday, August 13, 2003 12:19 AM: on behalf of: Craig Shaw
[CraigS at caamb.mb.ca]

| [snip] It sounds like your ISP is
| filtering internal traffic, but not blocking things externally. 

Affirmative (I assume the same).

| Or, perhaps your ISP is part of a larger backbone network that several
| other ISP's share, and that larger network is the one doing the
| blocking. 
| 
| So, Backbone ISP blocks anything outside their network. Smaller ISP's
| within that backbone ISP may just be relying on the larger ISP to do
| the blocking. 
| 
| Does that sound reasonable? A whois of the ip addresses might tell
| you if that is the case - the whois databases generally report if a
| given set of addresses have been sub-let to a smaller network.

Negative (I do not assume this being the case here).

Still, is it not a bit strange just blocking internal traffic?

Thanks,
Pete

| 
| 
| -----Original Message-----
| From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com]
| Sent: 12-Aug-03 16:03
| To: 'General DShield Discussion List'
| Subject: RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
| 
| RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
| 
| list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
| Tuesday, August 12, 2003 11:27 PM: on behalf of: Craig Shaw
| [CraigS at caamb.mb.ca]
| 
|| 
|| The source packets are from outside your ISP's address range?
|| 
| 
| 
| Craig,
| 
| Yes, that is correct.
| 
| In several cases, the intrusion attempts come from e.g. neighbour
| countries (Sweden, Russia) and there is a similarity in the beginning
| of the IP address.
| 
| The similarity is in the CAPITAL LETTER part (of the following
| conceptual IP address) as follows:
| 
| AAA.BBB.ccc.ddd.
| 
| All these address ranges are definitely outside that of my ISP's, but
| begin the same ("AAA.BBB.").
| 
| In many cases, there is no similarity the entire IP address is
different
| ("aaa.bbb.ccc.ddd"), i.e. no match at all.
|
| Thanks in advance for enlightenment.
|
| Pete 
| 
| 
| Craig Shaw
| Systems Administrator
| CAA Manitoba
| (204) 262-6035
| craigs at caamanitoba.com
| 
|-----OriginalMessage-----From:
| Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com]  
|| Sent: 12-Aug-03 15:02
|| To: 'General DShield Discussion List'
|| Subject: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
|| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
|| 
|| ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
|| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
|| 
|| Johannes, et al.
|| 
|| list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
|| Tuesday, August 12, 2003 5:02 PM: on behalf of: Johannes Ullrich
|| [jullrich at euclidian.com] 
|| 
||| 
||| Many ISPs block port 135 now. Some extended this block
||| to 4444 (worm remote shell) and 69 (tftp).The amount
||| of traffic you are seeing will depend very much on how
||| these blocks are implemented. Many ISPs can not block
||| traffic between their subscribers, but only traffic to/from the
||| outside. 
||| 
|| 
|| In order to protect its customers from Lovsan (AKA: MSBlast, Poza,
|| Blaster, W32/Msblast, Lovesun) threat my ISP informs it has started
|| filtering: 
|| 
|| TCP/UDP Port 135
|| TCP/UDP Port 139
|| TCP/UDP Port 445
|| 
|| in its network as [reportedly] recommended by the Finnish
|| Communications Regulatory Authority.
|| 
|| Filtering started and customers were informed presumably August 12,
|| morning, GMT+3. 
|| 
|| 
|| Still see quite a few hit attempts targeted especially to port 135
|| (Service: RPC Remote Procedure Call, Transport: TCP (flags:S)).
|| 
|| Also still, see a few hit attempts targeted to port 445
|| (Service: MSFT DS, SMB Server Message Block, Transport: TCP
|| (flags:S)). 
|| 
|| Still also, see very few hit attempts targeted to port 139
|| (NETBIOS Session Service, Transport: TCP (flags:S)).
|| 
|| 
|| In this ISP's case it would appear [as a rule] that these types of
|| traffic (ports 135, 139 and 445 above) originating from other
|| customers of this same ISP is indeed filtered well (or has stopped
|| for other reason(s)), but traffic from "outside" is still seen.
|| 
|| 
|| In the info to customers (presumably by the communication department
|| people of the ISP) the wording used, is that
|| 
|| the ISP "has closed access to UDP/TCP ports 135, 139 and 445".
|| 
|| The info also explains that "the closing of these ports affect the
|| traffic of those customers, who use 'file and printer sharing in
|| Microsoft networks'. The closing of these ports affects also use of
|| Linux' Samba program." 
|| 
|| 
|| What should one conclude regarding the alleged filtering (or
|| "closing ports")? 
|| 
|| Why still seeing these hit attempts from "outside" (only)?
|| 
|| Thanks in advance for enlightenment.
|| 
|| Regards,
|| Peter
|| 
|| 
||      "To handle silence is more difficult than to handle words."
||           Georges Clemenceau (1841-1929); French politician.
|| 
|| 
|| 
|| SOURCE (for worm/virus name and its aliases):
|| http://www.f-secure.com/v-descs/msblast.shtml
||




More information about the list mailing list