[unisog] anyone else seeing lots of popup spam/malware?

PaulFM paulfm at me.umn.edu
Wed Oct 26 21:12:45 GMT 2005

You might get the powerful to listen with Microsoft's own recommendations:

Checklist: Securing Your Network

A quote from the above:
"Packet filtering policy blocks all but required traffic in both directions.
Application-specific filters are in place to restrict unnecessary traffic."

Peter Van Epp wrote:

> On Wed, Oct 26, 2005 at 02:03:44PM -0400, Gary Flynn wrote:
>>Peter Van Epp wrote:
>>>	One point of interest, they seem to only be targetting our class B (we
>>>also have around 16 Cs spread around various ranges). I just added a permit
>>>but log access list in my border router which should tell me if there is any
>>>legit traffic to udp port 0 (I doubt it, but we will see) and if not an 
>>>inbound block is in order on general principles.
>>We've been blocking both TCP and UDP traffic sourced
>>from port zero or destined to port 0 quite a while
>>without any *known* ill effects.
>>We've been using Cisco reflexive ACLs to prohibit
>>unsolicited UDP traffic to ports 1024-1050 for about
>>18 months without any *known* ill effects. These
>>were put in to cut out the pop up Messenger spam
>>and also to help protect Windows RPC services.
>>On outbound side:
>>permit udp range 1024 1050 any reflect 
>>reflexive-list timeout 300
>>On inbound side:
>>evaluate reflexive-list
>>deny   udp any range 1024 1050
>>On an unrelated note, I've seen incoming scans that are sent
>>with a source port of zero.
> 	Thats not unrelated, but is exactly these scans :-). Myself I'd love
> to block all those ports, but the only way I will get permission is to 
> demonstrate from the argus logs (17 breakins in 20 days on the netbios ports
> before agreement to block them off campus except for the politically powerful
> but at least with a written agreement of keeping secure ...). This particular 
> set of scans don't appear to be getting any response which makes its hard to 
> argue they should be blocked (except on grounds of common sense but that has 
> no bearing around here :-)). Around here there are all sorts of odd devices 
> that may use any old port (although I admit I haven't seen 0 so far) and we all 
> know that Microsoft believes standard track RFCs are at best advisory if its
> not inconvienient (and violating them doesn't produce a lock in to Microsoft
> and/or their lawyers can argue they are meeting the RFC for some value of 
> meet perhaps not the one you or I would use  ...) 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list