I agree with what Lewis said.  Ports 135-139 and 445 are well known ports 
assigned to Windows networking and have no business being on the open Internet.

There should be a strong presumption that outbound traffic on these ports is 
malicious traffic from a worm like Blaster trying to propagate over the 
Internet.  Best case, a customer has misconfigured something to send LAN 
traffic over a WAN connection.

There are many pros and zero cons to blocking this traffic.  Do not get hung up 
on the word “blocked”.  This is not a Net Neutrality issue.  NetBIOS/SMB is LAN 
traffic not WAN traffic, if someone needs it to go site-to-site, then it should 
be inside something like a VPN.


From: Stefan Englhardt 
Sent: Tuesday, September 20, 2016 9:26 AM
To: af@afmug.com 
Subject: Re: [AFMUG] everyone should be blocking SMB ports

We say our customers: You get free unblocked access. So we dont block.

If we see a problem we block and notify the customer.

 

 

Von: Af [mailto:af-boun...@afmug.com] Im Auftrag von Dave
Gesendet: Dienstag, 20. September 2016 16:21
An: af@afmug.com
Betreff: Re: [AFMUG] everyone should be blocking SMB ports

 

+1

 

On 09/20/2016 09:12 AM, Jon Bruce wrote:

  +1

  On 9/20/2016 10:01 AM, Lewis Bergman wrote:

    I am a firm believer in the stance that as your ISP, I am not your mommy. 
We did no filtering or firewalling for our customers. The only exception being 
the blocking of certain traffic that had no business being on the open 
Internet. This is one of those things.

     

    On Tue, Sep 20, 2016, 7:21 AM Richard Strittmatter <rich...@mesh.net> wrote:

      We block, have for years and years..

       

      Richard Strittmatter

       

      From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mike Hammett
      Sent: Monday, September 19, 2016 11:59 AM


      To: af@afmug.com
      Subject: Re: [AFMUG] everyone should be blocking SMB ports

       

      Yes, block.



      -----
      Mike Hammett
      Intelligent Computing Solutions

      Midwest Internet Exchange

      The Brothers WISP






--------------------------------------------------------------------------

      From: "That One Guy /sarcasm" <thatoneguyst...@gmail.com>
      To: af@afmug.com
      Sent: Monday, September 19, 2016 11:57:44 AM


      Subject: Re: [AFMUG] everyone should be blocking SMB ports

      Whats the WISP consensus on blocking those ports at the edge? also, whats 
the best religion? if Ford or Chevy better? Whats the greatest sports team?

       

      On Mon, Sep 19, 2016 at 11:50 AM, Zach Underwood <zunder1...@gmail.com> 
wrote:

        My work has its own IP address and get upstream from atnt and charter. 
The smb ports are not blocked.

        Zach Underwood (RHCE,RHCSA,RHCT,UACA)

        http://ZachUnderwood.me

        advance-networking.com

            

         

        On Sep 19, 2016 12:47 PM, "Josh Luthman" <j...@imaginenetworksllc.com> 
wrote:

          Cable/Telco probably.


          WISP?  I dunno...




           

          Josh Luthman
          Office: 937-552-2340
          Direct: 937-552-2343
          1100 Wayne St
          Suite 1337
          Troy, OH 45373

           

          On Mon, Sep 19, 2016 at 12:47 PM, Sean Heskett <af...@zirkel.us> 
wrote:

            i think everyone has been blocking those ports since 1998-ish (or 
at least you should be)

             

            -sean

             

             

            On Mon, Sep 19, 2016 at 10:22 AM, Zach Underwood 
<zunder1...@gmail.com> wrote:

              This was written from the view point of windows AD setup can 
affect home users  too since MS makes people use MS live accounts to log in to 
windows.

               

              Problem:

              Outside servers can get username/domain/password hash. Once a 
remote server has the login info they could connect to VPN, Office365 or an 
other service that using AD domain user info.

              See attachment for example. I got the example from a VM with a 
test account on it.




              Details:

              Microsoft based browsers like IE and Edge can be induced to make 
a outbound smb connection to a remote server. In this connection Microsoft will 
send over username, domain, and password hash. The remote server then can do a 
decryption of the password hash using brute force, password, dictionary and 
rainbow tables.  

               

              Fix:

              The fastest way to stop this is to block all of the smb networks 
ports on the edge firewall for incoming and outgoing. The ports are 137-138udp, 
137tcp,139tcp, 445tcp

               

              Sources:

              
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

              Testing site:

              https://msleak.perfect-privacy.com/

               

              -- 

              Zach Underwood (RHCE,RHCSA,RHCT,UACA)

              My website

              advance-networking.com

             

           





       

      -- 

      If you only see yourself as part of the team but you don't see your team 
as part of yourself you have already failed as part of the team.

   

 

-- 

Reply via email to