ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Aug 13 11:59:55 GMT 2003


RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Wednesday, August 13, 2003 4:17 AM: on behalf of: Craig Shaw
[CraigS at caamb.mb.ca]

Craig,

Right you are.

| -snip-
| Still, if they were blocking internal traffic but leaving the outside
| stuff still wide open, I would expect you to still see a lot of
| traffic on your firewall.
| -snip-


1) Traffic on firewall (during an eleven hrs period after ISP's
"internal traffic" filtering applied) show:

120 hits targeted to port 135 (Service: RPC Remote Procedure Call,
Transport: TCP (flags:S)).

11 hits targeted to port 445 (Service: MSFT DS, SMB Server Message
Block, Transport: TCP (flags:S)).

6 hits targeted to port 139 (NETBIOS Session Service, Transport: TCP
(flags:S)).


2) Not a single one hit attempt originates from other subscribers of
this same ISP.
(Number of subscribers several tens of thousands.)


When ISP applies this kind of filtering, fellow [ISP] subscribers no
longer reported to DShield in my logs.  ;=)

Thanks again
Pete


        "Ask a question and you are a fool for one minute. 
        Don't ask a question and you are a fool forever." 
                        Chinese Proverb. 





More information about the list mailing list