[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)
pierre.baudet at newbalance.com
Sat Sep 27 11:47:53 GMT 2003
>While I'm at it, let me assume someone compromised a port that's been in
>use by something legit. I can't very well close that port without
>shutting off access to the legit service, so how can I protect the
>network in those instances?
Right, that's the limit of port-blocking right there. Next you need to
look into protocol scanning (Intrusion detection aka IDS)and its evil
twin: Intrusion prevention (aka IPS). That's when signatures/patterns come
in and you start spending gobs of time checking out network activity on
There are many IDS resources (not so many IPS...) out there depending on
the kind of shop you are (GPL vs. commercial).
P.S. Of course this could also prompt the age-old debate over
application-proxy firewalls, but I digress...
Alan Frayer <afrayer at frayernet.com>
Sent by: list-bounces at dshield.org
09/27/2003 06:07 AM
Please respond to General DShield Discussion List
To: General DShield Discussion List <list at dshield.org>
Subject: Re: [Dshield] Re: Possible variant of
On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
> Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to
listen for incoming UDP
> datagrams, as was previously reported.
> Network administrators should do the following:
> Block outbound traffic on port 8998/udp.
> Monitor NTP requests (port 123/udp), as these could be coming
from infected computers.
> (The frequency of such checks for an infected computer should
be once per hour.)
I suppose I'm late getting in the game, but for those of us keeping
score, is there a list somewhere of ports net admins should be blocking?
I thought I had them covered, but people keep mentioning some higher UDP
ports that I'm not so sure about, and I know that I don't know which
ones have been compromised.
While I'm at it, let me assume someone compromised a port that's been in
use by something legit. I can't very well close that port without
shutting off access to the legit service, so how can I protect the
network in those instances?
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
If you would like to discuss an opportunity with me, please e-mail.
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list