ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster, W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
peter.stendahl-juvonen at welho.com
Thu Aug 14 15:03:38 GMT 2003
RE: ISP reacts against Lovsan (alias: MSBlast, Poza,
Blaster,W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
Craig, et al.
Noticed today, that filtering applied by ISP as of today (Aug. 14
morning GMT+3, onwards) ALSO for "outside" [ISP's address range]
Do not know whether the two-step approach was intentional or not.
The conclusion is that from now on I do not see this stuff on my
firewall at all (at least until ISP stops this comprehensive filtering).
Thanks again for commenting the exercise by ISP.
"Inanimate objects are classified scientifically into three major
-those that don't work, those that break down and those that get
Russell Baker (b. 1925); US journalist.
list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Wednesday, August 13, 2003 3:00 PM: on behalf of: Peter Stendahl-Juvonen
[peter.stendahl-juvonen at welho.com]
| RE: ISP reacts against Lovsan (alias: MSBlast, Poza, Blaster,
| W32/Msblast, Lovesun) WAS: RE: [Dshield] DCOM morning after
| list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
| Wednesday, August 13, 2003 4:17 AM: on behalf of: Craig Shaw
| [CraigS at caamb.mb.ca]
| Right you are.
|| Still, if they were blocking internal traffic but leaving the outside
|| stuff still wide open, I would expect you to still see a lot of
|| traffic on your firewall.
| 1) Traffic on firewall (during an eleven hrs period after ISP's
| "internal traffic" filtering applied) show:
| 120 hits targeted to port 135 (Service: RPC Remote Procedure Call,
| Transport: TCP (flags:S)).
| 11 hits targeted to port 445 (Service: MSFT DS, SMB Server Message
| Block, Transport: TCP (flags:S)).
| 6 hits targeted to port 139 (NETBIOS Session Service, Transport: TCP
| 2) Not a single one hit attempt originates from other subscribers of
| this same ISP.
| (Number of subscribers several tens of thousands.)
| When ISP applies this kind of filtering, fellow [ISP] subscribers no
| longer reported to DShield in my logs. ;=)
| Thanks again
| "Ask a question and you are a fool for one minute.
| Don't ask a question and you are a fool forever."
| Chinese Proverb.
More information about the list