[unisog] anyone else seeing lots of popup spam/malware?

Peter Van Epp vanepp at sfu.ca
Wed Oct 26 19:35:37 GMT 2005


On Wed, Oct 26, 2005 at 02:03:44PM -0400, Gary Flynn wrote:
> Peter Van Epp wrote:
> 
> > 	One point of interest, they seem to only be targetting our class B (we
> > also have around 16 Cs spread around various ranges). I just added a permit
> > but log access list in my border router which should tell me if there is any
> > legit traffic to udp port 0 (I doubt it, but we will see) and if not an 
> > inbound block is in order on general principles.
> 
> 
> We've been blocking both TCP and UDP traffic sourced
> from port zero or destined to port 0 quite a while
> without any *known* ill effects.
> 
> We've been using Cisco reflexive ACLs to prohibit
> unsolicited UDP traffic to ports 1024-1050 for about
> 18 months without any *known* ill effects. These
> were put in to cut out the pop up Messenger spam
> and also to help protect Windows RPC services.
> 
> On outbound side:
> permit udp 134.126.0.0 0.0.255.255 range 1024 1050 any reflect 
> reflexive-list timeout 300
> 
> On inbound side:
> evaluate reflexive-list
> deny   udp any       134.126.0.0   0.0.255.255 range 1024 1050
> 
> On an unrelated note, I've seen incoming scans that are sent
> with a source port of zero.

	Thats not unrelated, but is exactly these scans :-). Myself I'd love
to block all those ports, but the only way I will get permission is to 
demonstrate from the argus logs (17 breakins in 20 days on the netbios ports
before agreement to block them off campus except for the politically powerful
but at least with a written agreement of keeping secure ...). This particular 
set of scans don't appear to be getting any response which makes its hard to 
argue they should be blocked (except on grounds of common sense but that has 
no bearing around here :-)). Around here there are all sorts of odd devices 
that may use any old port (although I admit I haven't seen 0 so far) and we all 
know that Microsoft believes standard track RFCs are at best advisory if its
not inconvienient (and violating them doesn't produce a lock in to Microsoft
and/or their lawyers can argue they are meeting the RFC for some value of 
meet perhaps not the one you or I would use  ...) 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



More information about the unisog mailing list