Security Basics mailing list archives
RE: Blocking port 4444 for W32.Blaster.Worm
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 20 Aug 2003 09:53:04 -0700
Blocking 4444 as a destination outbound is not going to affect routine web traffic, which is typically on 80/443 and occasionally on 8000 or 8080. Blocking 4444 as a destination inbound shouldn't be a problem either. If you have a stateful firewall, it will apply this rule only to outside attempts to connect to that port. Having seen the client initiate the outbound connection from 4444, it will allow that server to respond to that port. If you don't have a stateful firewall, and instead are relying on router packet filters, this rule comes after the "allow established" rule which allows responses in. So the workstation that "uses 4444 for web traffic" will not be blocked by this rule in either case. David Gillett
-----Original Message----- From: Brett Munhall [mailto:bmunhall () ups com] Sent: August 20, 2003 06:23 To: security-basics () securityfocus com Subject: Re: Blocking port 4444 for W32.Blaster.Worm In-Reply-To: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-48256D81.00003EE1@cit yofperth.wa.gov.au> I have a quick question. If I block 4444 on the firewall or router and a workstation uses 4444 for web traffic and it is blocked. Will the workstation lock up or does it just retransmit the traffic on another port? Thanks, BrettReceived: (qmail 5945 invoked from network); 13 Aug 200315:43:21 -0000 >Received: from outgoing2.securityfocus.com (205.206.231.26) > by mail.securityfocus.com with SMTP; 13 Aug 2003 15:43:21 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 4D1978F94C; Wed, 13 Aug 2003 09:14:56 -0600 (MDT) >Mailing-List: contact security-basics-help () securityfocus com; run by ezmlmPrecedence: bulk >List-Id:<security-basics.list-id.securityfocus.com> >List-Post: <mailto:security-basics () securityfocus com> >List-Help: <mailto:security-basics-help () securityfocus com>List-Unsubscribe:<mailto:security-basics-unsubscribe () securityfocus com>List-Subscribe:<mailto:security-basics-subscribe () securityfocus com>Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator forsecurity-basics () securityfocus com >Received: (qmail 12400 invoked from network); 12 Aug 2003 17:56:48 -0000In-Reply-To: <000001c36103$a17f5a60$6401a8c0@penguin> Subject: RE: Blocking port 4444 for W32.Blaster.Worm >To:<mike () genxweb net>, <security-basics () securityfocus com>X-Mailer: Lotus Notes Release 6.0.1 February 07, 2003 Message-ID: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-48256D81.00003EE1 () cityofperth wa gov au> >From: Steven_Paice () cityofperth wa gov au >Date: Wed, 13 Aug 2003 08:03:55 +0800 >X-MIMETrack: Serialize by Router on permail01/CityofPerth(Release 5.0.8 |June 18, 2001) at > 13/08/2003 08:03:55 AM >MIME-Version: 1.0 >Content-type: text/plain; charset=us-ascii > > >Thanks for the reply Michael, my post was initially just a query, upon >further investigation I found that in fact our firewall already blocks >these ports as you suggested, I just have to implement the deny all without >logging. > > > > "Michael > LaSalvia" To: <Steven_Paice () cityofperth wa gov au>, <security- basics () securityfocus com> > <mike@genxweb. cc: > net> Subject: RE: Blocking port 4444 for W32.Blaster.Worm >13/08/2003> 02:57 AM > Please respond > to mike > > > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Why wouldyou have that port open any way on your firewall. A >firewall should be explicit deny all unless there is a need to havethat port open. I don't know many people that have port 4444open for >any reason. I can say that because I deal with many large companies >firewalls. > >Not only should you have 4444 blocked you should have a NetBIOS block >rule that is a deny all without logging (cause it will fill the log >files fast if you did do logging.) > >- -----Original Message-----From: Steven_Paice () cityofperth wa gov au[mailto:Steven_Paice () cityofperth wa gov au] >Sent: Monday, August 11, 2003
10:57 PM >To: security-basics () securityfocus com >Subject: Blocking port 4444 for W32.Blaster.Worm > >Hi all, > >I have just been reading up on the Blaster Worm, and Symantec suggest >blocking TCP port 4444 at the firewall level; I was wondering if >anyone has >implemented this yet and if so, if they have any feedback on the >results >regarding performance, risks etc. >
Thanks in advance > >Steven Paice > > - ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ > > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.8
for non-commercial use <http://www.pgp.com> >
iQA/AwUBPzk4p3AnVb+gRdsVEQJemwCgtK+9kR5BcMiKN7Kn7ThmabZ/WAgAoJ8j NkYW182RebTFiQ6OwkZxX1B0 >=dG7W >-----END PGP SIGNATURE----- > > > > > > --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
-- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Blocking port 4444 for W32.Blaster.Worm Steven_Paice (Aug 12)
- RE: Blocking port 4444 for W32.Blaster.Worm Michael LaSalvia (Aug 12)
- RE: Blocking port 4444 for W32.Blaster.Worm Steven_Paice (Aug 13)
- <Possible follow-ups>
- RE: Blocking port 4444 for W32.Blaster.Worm CHRIS GRABENSTEIN (Aug 12)
- Re: Blocking port 4444 for W32.Blaster.Worm Brett Munhall (Aug 20)
- Re: Blocking port 4444 for W32.Blaster.Worm chort (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm David Gillett (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm Dave Killion (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm Michael LaSalvia (Aug 12)