135 and 445 on TCP and UDP are the ones to block. Ports 137, 138, 139 are related to the services provided on 135
>From this page - ttp://seclists.org/lists/vulnwatch/2003/Jul-Sep/0039.html - "TCP ports 135, 139, 445 and 593 can be used as remote attack vectors". Check out http://www.cert.org/advisories/CA-2003-23.html where they talk about these ports too. Dan See http://www.seifried.org/security/ports/ ----- Original Message ----- From: "Pascal Losier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 26, 2003 8:46 PM Subject: RE: [smartBridges] Virus attacks > When you say ''We have now blocked 135, 136, 137, 138, 139, 445, and 593 > in and out bound ports at our main router.'' > > Do you blocked all protocol or only a few......TCP,UDP,ICMP. ??? > > Which protocol should I block ??? > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Virtual North > Sent: Wednesday, November 26, 2003 1:07 PM > To: [EMAIL PROTECTED] > Subject: Re: [smartBridges] Virus attacks > > > I had to deal with this just recently. > > Shut down there link to your AP works ;-) > > Blaster, Nachi and there variants are the problem. They first rearly > there ugly heads but put out a flood of ICMP echo's on the systems. I > can watch in on our router .... the port it spoofs are 256 and 512 but > we can't block ICMP traffic on the router so ... > > The ICMP flood will bring your network to a crawl and cause other > customers connections to drop right off. These ping echoes are looking > for a new machine to infect - each ping probes an ip and the next probes > that next ip up from that. Once the virus finds a vulnerable machine it > THEN connects through ports 135 or 445 to pass the infection along. > > If the virus is already on your network then as soon as someone connects > a new computer (sans service packs) it often gets infected before the > service packs can be applied. > > We have now blocked 135, 136, 137, 138, 139, 445, and 593 in and out > bound ports at our main router. > > Outgoing ports 135 and 445 can be blocked at the customers end too. Its > especially easy with windows 2003 server. I don't know about the cheaper > routers though. > > Software firewalls can help too. eg. the free version of ZoneAlarm can > be installed on the infected machine since zone alarm, unlike many of > cheaper hardware firewalls in broadband routers will block unauthorized > outgoing traffic. ZoneAlarm for example once loaded will report the > dllhost.exe (the infected file) is trying to assess the network - it > should not be allow through. > > One of my customers running an older system reports the ZoneAlarm seem > to be bogging it down. > > The bottom line is that the viruses have to be cleaned off immediately, > a outbound firewall installed, or your customer should be disconnected > until they remove the virus. > > Others may have some clarifications or other insights into this. > > I hope this helps > > Dan Good > Virtual North Inc. > > > ----- Original Message ----- > From: "John K. McReynolds" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 26, 2003 10:00 AM > Subject: Re: [smartBridges] Virus attacks > > > > Andrew, > > When you say it brings your network down, does it reduce it to a crawl > > > or > does > > it effect the signal coming from the AP (effectively making the AP > "beacon" for > > a while, on/off/on/off, then lose signal from the AP totally)? We are > having > > similar issues and I am having one heck of a time figuring out what is > > > happening... > > > > Thanks, > > > > JOHN > > > > Quoting Andrew Goble <[EMAIL PROTECTED]>: > > > ><x> > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in > the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > > > > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
