[unisog] anyone else seeing lots of popup spam/malware?
flynngn at jmu.edu
Wed Oct 26 18:03:44 GMT 2005
Peter Van Epp wrote:
> One point of interest, they seem to only be targetting our class B (we
> also have around 16 Cs spread around various ranges). I just added a permit
> but log access list in my border router which should tell me if there is any
> legit traffic to udp port 0 (I doubt it, but we will see) and if not an
> inbound block is in order on general principles.
We've been blocking both TCP and UDP traffic sourced
from port zero or destined to port 0 quite a while
without any *known* ill effects.
We've been using Cisco reflexive ACLs to prohibit
unsolicited UDP traffic to ports 1024-1050 for about
18 months without any *known* ill effects. These
were put in to cut out the pop up Messenger spam
and also to help protect Windows RPC services.
On outbound side:
permit udp 18.104.22.168 0.0.255.255 range 1024 1050 any reflect
reflexive-list timeout 300
On inbound side:
deny udp any 22.214.171.124 0.0.255.255 range 1024 1050
On an unrelated note, I've seen incoming scans that are sent
with a source port of zero.
James Madison University
More information about the unisog