Security Basics mailing list archives
RE: Blocking port 4444 for W32.Blaster.Worm
From: Dave Killion <Dkillion () netscreen com>
Date: Wed, 20 Aug 2003 10:21:29 -0700
Brett, Well, the real idea is to block connections outbound *to* port 4444, which is what Blaster does. If you have any clients doing this, I'd be worried. If you're concerned about blocking 'ephemeral' ports (random source ports) then don't be - most programs are robust enough to retry the connection on a different source port. Never mind that we're not talking about blocking source ports anyway. It's generally a more secure model to evaluate which ports *must* be open both inbound and out, monitor those ports carefully (with patched servers), and block all others. The idea of permitting all except blocking "bad" ports will always leave you two steps behind in a reactive mode. I hope this information is helpful - good luck with your security set up. Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. -----Original Message----- From: Brett Munhall [mailto:bmunhall () ups com] Sent: Wednesday, August 20, 2003 6:23 AM To: security-basics () securityfocus com Subject: Re: Blocking port 4444 for W32.Blaster.Worm In-Reply-To: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-48256D81.00003EE1 () cityofperth wa. gov.au> I have a quick question. If I block 4444 on the firewall or router and a workstation uses 4444 for web traffic and it is blocked. Will the workstation lock up or does it just retransmit the traffic on another port? Thanks, Brett
Received: (qmail 5945 invoked from network); 13 Aug 2003 15:43:21 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 13 Aug 2003 15:43:21 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP id 4D1978F94C; Wed, 13 Aug 2003 09:14:56 -0600 (MDT) Mailing-List: contact security-basics-help () securityfocus com; run by
ezmlm
Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 12400 invoked from network); 12 Aug 2003 17:56:48 -0000 In-Reply-To: <000001c36103$a17f5a60$6401a8c0@penguin> Subject: RE: Blocking port 4444 for W32.Blaster.Worm To: <mike () genxweb net>, <security-basics () securityfocus com> X-Mailer: Lotus Notes Release 6.0.1 February 07, 2003 Message-ID: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-
48256D81.00003EE1 () cityofperth wa gov au>
From: Steven_Paice () cityofperth wa gov au Date: Wed, 13 Aug 2003 08:03:55 +0800 X-MIMETrack: Serialize by Router on permail01/CityofPerth(Release 5.0.8
|June 18, 2001) at
13/08/2003 08:03:55 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Thanks for the reply Michael, my post was initially just a query, upon further investigation I found that in fact our firewall already blocks these ports as you suggested, I just have to implement the deny all
without
logging.
"Michael
LaSalvia" To:
<Steven_Paice () cityofperth wa gov au>, <security- basics () securityfocus com>
<mike@genxweb.
cc:
net> Subject: RE: Blocking port
4444 for W32.Blaster.Worm
13/08/2003
02:57
AM
Please
respond
to
mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why would you have that port open any way on your firewall. A firewall should be explicit deny all unless there is a need to have that port open. I don't know many people that have port 4444 open for any reason. I can say that because I deal with many large companies firewalls. Not only should you have 4444 blocked you should have a NetBIOS block rule that is a deny all without logging (cause it will fill the log files fast if you did do logging.) - -----Original Message----- From: Steven_Paice () cityofperth wa gov au [mailto:Steven_Paice () cityofperth wa gov au] Sent: Monday, August 11, 2003 10:57 PM To: security-basics () securityfocus com Subject: Blocking port 4444 for W32.Blaster.Worm Hi all, I have just been reading up on the Blaster Worm, and Symantec suggest blocking TCP port 4444 at the firewall level; I was wondering if anyone has implemented this yet and if so, if they have any feedback on the results regarding performance, risks etc. Thanks in advance Steven Paice - ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPzk4p3AnVb+gRdsVEQJemwCgtK+9kR5BcMiKN7Kn7ThmabZ/WAgAoJ8j NkYW182RebTFiQ6OwkZxX1B0 =dG7W -----END PGP SIGNATURE----- -------------------------------------------------------------------------
- -
-------------------------------------------------------------------------
- --
-------------------------------------------------------------------------- - -------------------------------------------------------------------------- --
Attachment:
smime.p7s
Description:
Current thread:
- Blocking port 4444 for W32.Blaster.Worm Steven_Paice (Aug 12)
- RE: Blocking port 4444 for W32.Blaster.Worm Michael LaSalvia (Aug 12)
- RE: Blocking port 4444 for W32.Blaster.Worm Steven_Paice (Aug 13)
- <Possible follow-ups>
- RE: Blocking port 4444 for W32.Blaster.Worm CHRIS GRABENSTEIN (Aug 12)
- Re: Blocking port 4444 for W32.Blaster.Worm Brett Munhall (Aug 20)
- Re: Blocking port 4444 for W32.Blaster.Worm chort (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm David Gillett (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm Dave Killion (Aug 20)
- RE: Blocking port 4444 for W32.Blaster.Worm Michael LaSalvia (Aug 12)