[unisog] anyone else seeing lots of popup spam/malware?

Peter Van Epp vanepp at sfu.ca
Thu Oct 27 15:31:25 GMT 2005


	Turns out I was as usual incorrect. There are both a DNS request and
some skype traffic using udp source port of 0 in the argus logs overnight (as
I mentioned earlier, being able or willing to read RFCs is optional for certain
tcp stack writers). While I could decide this is wrong and block it anyway 
(possibly causing some odd intermittent problems) it seemed better to just 
block the 0 -> 1025/1026 udp traffic which will kill the scans we have been 
seeing. Years of looking at argus logs have lead me to expect almost anything
to be coming in on our links at some time or another so blindly blocking isn't
necessarily a good idea (unless you could get a default deny policy in to start
which we couldn't).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Wed, Oct 26, 2005 at 01:04:10PM -0500, PaulFM wrote:
> I would check and do an inbound and outbound block of UDP < 1024 (0-1023 UDP)
> If you use NTP you will have to allow 123 ( and if you allow windows SMB file 
> sharing across your boarder you will also have to allow 137 + 139 + 445) and 
> of course 53 for DNS (and 500 if you are using certain VPNs).
> 
> 
> 
> Peter Van Epp wrote:
> 
> > 	One point of interest, they seem to only be targetting our class B (we
> > also have around 16 Cs spread around various ranges). I just added a permit
> > but log access list in my border router which should tell me if there is any
> > legit traffic to udp port 0 (I doubt it, but we will see) and if not an 
> > inbound block is in order on general principles.
> > 
> > Peter Van Epp / Operations and Technical Support 
> > Simon Fraser University, Burnaby, B.C. Canada
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/unisog
> 
> -- 
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly
> those of the author(s).  The content of this message has
> not been reviewed nor approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


More information about the unisog mailing list