RE: Blocking port 4444 for W32.Blaster.Worm

["David Gillett" <gillettdavid () fhda edu>]

  Blocking 4444 as a destination outbound is not going to
affect routine web traffic, which is typically on 80/443
and occasionally on 8000 or 8080.

  Blocking 4444 as a destination inbound shouldn't be a
problem either.  If you have a stateful firewall, it will
apply this rule only to outside attempts to connect to that
port.  Having seen the client initiate the outbound connection
from 4444, it will allow that server to respond to that port.
  If you don't have a stateful firewall, and instead are relying
on router packet filters, this rule comes after the "allow
established" rule which allows responses in.

  So the workstation that "uses 4444 for web traffic" will
not be blocked by this rule in either case.

David Gillett


> -----Original Message-----
> From: Brett Munhall [mailto:bmunhall () ups com]
> Sent: August 20, 2003 06:23
> To: security-basics () securityfocus com
> Subject: Re: Blocking port 4444 for W32.Blaster.Worm
>
>
> In-Reply-To:
> <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-48256D81.00003EE1@cit
> yofperth.wa.gov.au>
>
> I have a quick question. If I block 4444 on the firewall or
> router and a  workstation uses 4444 for web traffic and it is
> blocked. Will the  workstation lock up or does it just
> retransmit the traffic on another port?  Thanks, Brett
> > Received: (qmail 5945 invoked from network); 13 Aug 2003
> 15:43:21 -0000 >Received: from outgoing2.securityfocus.com
> (205.206.231.26) >  by mail.securityfocus.com with SMTP; 13
> Aug 2003 15:43:21 -0000 >Received: from
> lists.securityfocus.com (lists.securityfocus.com
> [205.206.231.19]) >   by outgoing2.securityfocus.com
> (Postfix) with QMQP > id 4D1978F94C; Wed, 13 Aug 2003
> 09:14:56 -0600 (MDT) >Mailing-List: contact
> security-basics-help () securityfocus com; run by ezmlm
> > Precedence: bulk >List-Id:
> <security-basics.list-id.securityfocus.com> >List-Post:
> <mailto:security-basics () securityfocus com> >List-Help:
> <mailto:security-basics-help () securityfocus com>
> > List-Unsubscribe:
> <mailto:security-basics-unsubscribe () securityfocus com>
> > List-Subscribe:
> <mailto:security-basics-subscribe () securityfocus com>
> > Delivered-To: mailing list security-basics () securityfocus com
> > Delivered-To: moderator for
> security-basics () securityfocus com >Received: (qmail 12400
> invoked from network); 12 Aug 2003 17:56:48 -0000
> > In-Reply-To: <000001c36103$a17f5a60$6401a8c0@penguin>
> > Subject: RE: Blocking port 4444 for W32.Blaster.Worm >To:
> <mike () genxweb net>, <security-basics () securityfocus com>
> > X-Mailer: Lotus Notes Release 6.0.1 February 07, 2003
> > Message-ID: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-
> 48256D81.00003EE1 () cityofperth wa gov au> >From:
> Steven_Paice () cityofperth wa gov au >Date: Wed, 13 Aug 2003
> 08:03:55 +0800 >X-MIMETrack: Serialize by Router on
> permail01/CityofPerth(Release 5.0.8  |June 18, 2001) at >
> 13/08/2003 08:03:55 AM >MIME-Version: 1.0 >Content-type:
> text/plain; charset=us-ascii > > >Thanks for the reply
> Michael, my post was initially just a query, upon >further
> investigation I found that in fact our firewall already
> blocks >these ports as you suggested, I just have to
> implement the deny all  without >logging. > > >
>
>
>      >                    "Michael
>
>                           >                    LaSalvia"
>       To:      <Steven_Paice () cityofperth wa gov au>,
> <security- basics () securityfocus com>                     >
>                 <mike@genxweb.        cc:
>
>                  >                    net>
> Subject:     RE: Blocking port  4444 for W32.Blaster.Worm
>                                          >
>
>
> >                     13/08/2003
>
>                       >                    02:57  AM
>
>                                             >
>    Please  respond
>
>     >                    to  mike
>
>                           >
>
>                                                > > > >
> > -----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Why would
> you have that port open any way on your firewall. A >firewall
> should be explicit deny all unless there is a need to have
> > that port open. I don't know many people that have port 4444
> open for >any reason. I can say that because I deal with many
> large companies >firewalls. > >Not only should you have 4444
> blocked you should have a NetBIOS block >rule that is a deny
> all without logging (cause it will fill the log >files fast
> if you did do logging.) > >- -----Original Message-----
> > From: Steven_Paice () cityofperth wa gov au
> [mailto:Steven_Paice () cityofperth wa gov au] >Sent: Monday, August 11, 2003
10:57 PM >To: security-basics () securityfocus com >Subject: Blocking port 4444
for W32.Blaster.Worm > >Hi all, > >I have just been reading up on the
Blaster Worm, and Symantec suggest >blocking TCP port 4444 at the firewall
level; I was wondering if >anyone has >implemented this yet and if so, if
they have any feedback on the >results >regarding performance, risks etc. >
> Thanks in advance > >Steven Paice > >
> - ----------------------------------------------------------------------
> - -----
> - ----------------------------------------------------------------------
> - ------ > > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.8
for non-commercial use <http://www.pgp.com> >
> iQA/AwUBPzk4p3AnVb+gRdsVEQJemwCgtK+9kR5BcMiKN7Kn7ThmabZ/WAgAoJ8j
> NkYW182RebTFiQ6OwkZxX1B0 >=dG7W >-----END PGP SIGNATURE----- > > > > > >
> -------------------------------------------------------------------------- 
-
> -------------------------------------------------------------------------- 
-- > >
---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------