ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Aug 14 15:03:38 GMT 2003


RE: ISP reacts against Lovsan (alias: MSBlast, Poza,
Blaster,W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after


Craig, et al.


Noticed today, that filtering applied by ISP as of today (Aug. 14
morning GMT+3, onwards) ALSO for "outside" [ISP's address range]
originating traffic.

Do not know whether the two-step approach was intentional or not.

The conclusion is that from now on I do not see this stuff on my
firewall at all (at least until ISP stops this comprehensive filtering).

Thanks again for commenting the exercise by ISP.

-Pete


"Inanimate objects are classified scientifically into three major
categories
  -those that don't work, those that break down and those that get
lost."
                 Russell Baker (b. 1925); US journalist.  



list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Wednesday, August 13, 2003 3:00 PM: on behalf of: Peter Stendahl-Juvonen
[peter.stendahl-juvonen at welho.com]

| RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
| 
| list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
| Wednesday, August 13, 2003 4:17 AM: on behalf of: Craig Shaw
| [CraigS at caamb.mb.ca]
| 
| Craig,
| 
| Right you are.
| 
|| -snip-
|| Still, if they were blocking internal traffic but leaving the outside
|| stuff still wide open, I would expect you to still see a lot of
|| traffic on your firewall. 
|| -snip-
| 
| 
| 1) Traffic on firewall (during an eleven hrs period after ISP's
| "internal traffic" filtering applied) show:
| 
| 120 hits targeted to port 135 (Service: RPC Remote Procedure Call,
| Transport: TCP (flags:S)).
| 
| 11 hits targeted to port 445 (Service: MSFT DS, SMB Server Message
| Block, Transport: TCP (flags:S)).
| 
| 6 hits targeted to port 139 (NETBIOS Session Service, Transport: TCP
| (flags:S)).
| 
| 
| 2) Not a single one hit attempt originates from other subscribers of
| this same ISP.
| (Number of subscribers several tens of thousands.)
| 
| 
| When ISP applies this kind of filtering, fellow [ISP] subscribers no
| longer reported to DShield in my logs.  ;=)
| 
| Thanks again
| Pete
| 
| 
|         "Ask a question and you are a fool for one minute.
|         Don't ask a question and you are a fool forever."
|                         Chinese Proverb.
| 
| 
| _______________________________________________




More information about the list mailing list