Sober's previous variants access NTP on port 37, so blocking port 123 (NTP) won't do anything. As long as the new variant follows the same pattern, block port 37 and SMTP from anything other than mail servers and you shold minimize the impact.
If your internal clients aren't using an internal time source, they should be. Set up a few BSD boxes or routers with NTP services and allow those and those only to sync time with an external source. Then even IF the variant uses port 123, it still won't be able to get out and check the time with its predefined server list because you would have locked down port 123 outbound to only 2 or so hosts. -J On 12/15/05, Curt Shaffer <[EMAIL PROTECTED]> wrote: > All, > > I am working on a plan to try and help minimize the effect of the possible > sober resurfacing on Jan. 5/6th. After reading the security focus article > that this worm relies on NTP to know when to release, I am wondering on the > feasibility of blocking NTP out to the internet that week except for the > certain devices that need it. Does anyone have input on this? > > Thanks > > Curt > > > > > > > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
