[unisog] anyone else seeing lots of popup spam/malware?

PaulFM paulfm at me.umn.edu
Wed Oct 26 21:12:45 GMT 2005


You might get the powerful to listen with Microsoft's own recommendations:

Checklist: Securing Your Network
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod88.asp>

A quote from the above:
"Packet filtering policy blocks all but required traffic in both directions.
Application-specific filters are in place to restrict unnecessary traffic."





Peter Van Epp wrote:

> On Wed, Oct 26, 2005 at 02:03:44PM -0400, Gary Flynn wrote:
> 
>>Peter Van Epp wrote:
>>
>>
>>>	One point of interest, they seem to only be targetting our class B (we
>>>also have around 16 Cs spread around various ranges). I just added a permit
>>>but log access list in my border router which should tell me if there is any
>>>legit traffic to udp port 0 (I doubt it, but we will see) and if not an 
>>>inbound block is in order on general principles.
>>
>>
>>We've been blocking both TCP and UDP traffic sourced
>>from port zero or destined to port 0 quite a while
>>without any *known* ill effects.
>>
>>We've been using Cisco reflexive ACLs to prohibit
>>unsolicited UDP traffic to ports 1024-1050 for about
>>18 months without any *known* ill effects. These
>>were put in to cut out the pop up Messenger spam
>>and also to help protect Windows RPC services.
>>
>>On outbound side:
>>permit udp 134.126.0.0 0.0.255.255 range 1024 1050 any reflect 
>>reflexive-list timeout 300
>>
>>On inbound side:
>>evaluate reflexive-list
>>deny   udp any       134.126.0.0   0.0.255.255 range 1024 1050
>>
>>On an unrelated note, I've seen incoming scans that are sent
>>with a source port of zero.
> 
> 
> 	Thats not unrelated, but is exactly these scans :-). Myself I'd love
> to block all those ports, but the only way I will get permission is to 
> demonstrate from the argus logs (17 breakins in 20 days on the netbios ports
> before agreement to block them off campus except for the politically powerful
> but at least with a written agreement of keeping secure ...). This particular 
> set of scans don't appear to be getting any response which makes its hard to 
> argue they should be blocked (except on grounds of common sense but that has 
> no bearing around here :-)). Around here there are all sorts of odd devices 
> that may use any old port (although I admit I haven't seen 0 so far) and we all 
> know that Microsoft believes standard track RFCs are at best advisory if its
> not inconvienient (and violating them doesn't produce a lock in to Microsoft
> and/or their lawyers can argue they are meeting the RFC for some value of 
> meet perhaps not the one you or I would use  ...) 
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list