I did block those port but How can I test if they are really block.???? Just want to make sure I did the right config in mikrotik ...
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Virtual North Sent: Wednesday, November 26, 2003 11:12 PM To: [EMAIL PROTECTED] Subject: Re: [smartBridges] Virus attacks 135 and 445 on TCP and UDP are the ones to block. Ports 137, 138, 139 are related to the services provided on 135 >From this page - ttp://seclists.org/lists/vulnwatch/2003/Jul-Sep/0039.html - "TCP ports 135, 139, 445 and 593 can be used as remote attack vectors". Check out http://www.cert.org/advisories/CA-2003-23.html where they talk about these ports too. Dan See http://www.seifried.org/security/ports/ ----- Original Message ----- From: "Pascal Losier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 26, 2003 8:46 PM Subject: RE: [smartBridges] Virus attacks > When you say ''We have now blocked 135, 136, 137, 138, 139, 445, and > 593 in and out bound ports at our main router.'' > > Do you blocked all protocol or only a few......TCP,UDP,ICMP. ??? > > Which protocol should I block ??? > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Virtual North > Sent: Wednesday, November 26, 2003 1:07 PM > To: [EMAIL PROTECTED] > Subject: Re: [smartBridges] Virus attacks > > > I had to deal with this just recently. > > Shut down there link to your AP works ;-) > > Blaster, Nachi and there variants are the problem. They first rearly > there ugly heads but put out a flood of ICMP echo's on the systems. I > can watch in on our router .... the port it spoofs are 256 and 512 but > we can't block ICMP traffic on the router so ... > > The ICMP flood will bring your network to a crawl and cause other > customers connections to drop right off. These ping echoes are looking > for a new machine to infect - each ping probes an ip and the next > probes that next ip up from that. Once the virus finds a vulnerable > machine it THEN connects through ports 135 or 445 to pass the > infection along. > > If the virus is already on your network then as soon as someone > connects a new computer (sans service packs) it often gets infected > before the service packs can be applied. > > We have now blocked 135, 136, 137, 138, 139, 445, and 593 in and out > bound ports at our main router. > > Outgoing ports 135 and 445 can be blocked at the customers end too. > Its especially easy with windows 2003 server. I don't know about the > cheaper routers though. > > Software firewalls can help too. eg. the free version of ZoneAlarm can > be installed on the infected machine since zone alarm, unlike many of > cheaper hardware firewalls in broadband routers will block > unauthorized outgoing traffic. ZoneAlarm for example once loaded will > report the dllhost.exe (the infected file) is trying to assess the > network - it should not be allow through. > > One of my customers running an older system reports the ZoneAlarm seem > to be bogging it down. > > The bottom line is that the viruses have to be cleaned off > immediately, a outbound firewall installed, or your customer should be > disconnected until they remove the virus. > > Others may have some clarifications or other insights into this. > > I hope this helps > > Dan Good > Virtual North Inc. > > > ----- Original Message ----- > From: "John K. McReynolds" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 26, 2003 10:00 AM > Subject: Re: [smartBridges] Virus attacks > > > > Andrew, > > When you say it brings your network down, does it reduce it to a > > crawl > > > or > does > > it effect the signal coming from the AP (effectively making the AP > "beacon" for > > a while, on/off/on/off, then lose signal from the AP totally)? We > > are > having > > similar issues and I am having one heck of a time figuring out what > > is > > > happening... > > > > Thanks, > > > > JOHN > > > > Quoting Andrew Goble <[EMAIL PROTECTED]>: > > > ><x> > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in > the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > > > > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) > Archives: http://archives.part-15.org > The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
