[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)

Pierre Baudet pierre.baudet at newbalance.com
Sat Sep 27 11:47:53 GMT 2003


>While I'm at it, let me assume someone compromised a port that's been in
>use by something legit. I can't very well close that port without
>shutting off access to the legit service, so how can I protect the
>network in those instances?

Right, that's the limit of port-blocking right there. Next you need to 
look into protocol scanning (Intrusion detection aka IDS)and its evil 
twin: Intrusion prevention (aka IPS). That's when signatures/patterns come 
in and you start spending gobs of time checking out network activity on 
each segment.

There are many IDS resources (not so many IPS...) out there depending on 
the kind of shop you are (GPL vs. commercial).

P.S. Of course this could also prompt the age-old debate over 
application-proxy firewalls, but I digress...





Alan Frayer <afrayer at frayernet.com>
Sent by: list-bounces at dshield.org
09/27/2003 06:07 AM
Please respond to General DShield Discussion List
 
        To:     General DShield Discussion List <list at dshield.org>
        cc: 
        Subject:        Re: [Dshield] Re: Possible variant of 
Blaster/Nachi/Welchia? (more)


On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
>  
>    Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to 
listen for incoming UDP 
>    datagrams, as was previously reported.  
>          995/udp  
>          996/udp  
>          997/udp  
>          998/udp  
>          999/udp  
>  
>  
>    Network administrators should do the following:   
>          Block outbound traffic on port 8998/udp.   
>          Monitor NTP requests (port 123/udp), as these could be coming 
from infected computers. 
>          (The frequency of such checks for an infected computer should 
be once per hour.) 

I suppose I'm late getting in the game, but for those of us keeping
score, is there a list somewhere of ports net admins should be blocking?
I thought I had them covered, but people keep mentioning some higher UDP
ports that I'm not so sure about, and I know that I don't know which
ones have been compromised.

While I'm at it, let me assume someone compromised a port that's been in
use by something legit. I can't very well close that port without
shutting off access to the legit service, so how can I protect the
network in those instances?

________________________________________________________________________
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list