[unisog] anyone else seeing lots of popup spam/malware?

Gary Flynn flynngn at jmu.edu
Wed Oct 26 18:03:44 GMT 2005


Peter Van Epp wrote:

> 	One point of interest, they seem to only be targetting our class B (we
> also have around 16 Cs spread around various ranges). I just added a permit
> but log access list in my border router which should tell me if there is any
> legit traffic to udp port 0 (I doubt it, but we will see) and if not an 
> inbound block is in order on general principles.


We've been blocking both TCP and UDP traffic sourced
from port zero or destined to port 0 quite a while
without any *known* ill effects.

We've been using Cisco reflexive ACLs to prohibit
unsolicited UDP traffic to ports 1024-1050 for about
18 months without any *known* ill effects. These
were put in to cut out the pop up Messenger spam
and also to help protect Windows RPC services.

On outbound side:
permit udp 134.126.0.0 0.0.255.255 range 1024 1050 any reflect 
reflexive-list timeout 300

On inbound side:
evaluate reflexive-list
deny   udp any       134.126.0.0   0.0.255.255 range 1024 1050

On an unrelated note, I've seen incoming scans that are sent
with a source port of zero.

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


More information about the unisog mailing list