ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
peter.stendahl-juvonen at welho.com
Wed Aug 13 11:59:55 GMT 2003
RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Wednesday, August 13, 2003 4:17 AM: on behalf of: Craig Shaw
[CraigS at caamb.mb.ca]
Right you are.
| Still, if they were blocking internal traffic but leaving the outside
| stuff still wide open, I would expect you to still see a lot of
| traffic on your firewall.
1) Traffic on firewall (during an eleven hrs period after ISP's
"internal traffic" filtering applied) show:
120 hits targeted to port 135 (Service: RPC Remote Procedure Call,
Transport: TCP (flags:S)).
11 hits targeted to port 445 (Service: MSFT DS, SMB Server Message
Block, Transport: TCP (flags:S)).
6 hits targeted to port 139 (NETBIOS Session Service, Transport: TCP
2) Not a single one hit attempt originates from other subscribers of
this same ISP.
(Number of subscribers several tens of thousands.)
When ISP applies this kind of filtering, fellow [ISP] subscribers no
longer reported to DShield in my logs. ;=)
"Ask a question and you are a fool for one minute.
Don't ask a question and you are a fool forever."
More information about the list