Re: Port 445 issues (was: Port 80 Issues)

["Jack Bates" <jbates () brightok net>]

From: "Sean Donelan"

> So far the Deloder worm appears to be responding to normal congestion
> feedback controls, limiting its network impact.  Like CodeRed, Nimda, etc
> some edge providers may need to implement network controls due to
> scanning activities causing cache busting, but I suspect most network
> backbones will not need to do anything.
I agree. It will mostly be useful at edge networks to spot outbound traffic
of possibly infected users. 445 should normally be very light, and I suspect
that 99% of the systems issuing the traffic will be found to be infected
with at least one worm or virus, and probably have more security issues. My
last 445 spewing customer had 3 back door programs, 5 viruses, and 2 worms.
It was, of course, a school computer.

The problem with blocking is if you decide to remove the blocks. Upon
removal of 1434 from my EBGP routers, I immediately saw 3 systems infected
and start spewing. One of them, scarily, was a dialup while another was on a
transit customers network and, of course, shut him down. If we protect the
customer, the customer won't fix the problem. Blocks always have to be used
with caution because of this.

-Jack