RE: Blocking port 4444 for W32.Blaster.Worm

[Dave Killion <Dkillion () netscreen com>]

Brett,

Well, the real idea is to block connections outbound *to* port 4444, which
is what Blaster does.  If you have any clients doing this, I'd be worried.

If you're concerned about blocking 'ephemeral' ports (random source ports)
then don't be - most programs are robust enough to retry the connection on
a different source port.

Never mind that we're not talking about blocking source ports anyway.

It's generally a more secure model to evaluate which ports *must* be open
both inbound and out, monitor those ports carefully (with patched
servers), and block all others.  The idea of permitting all except
blocking "bad" ports will always leave you two steps behind in a reactive
mode.

I hope this information is helpful - good luck with your security set up.

Dave Killion
Senior Security Engineer
Security Group, NetScreen Technologies, Inc.



-----Original Message-----
From: Brett Munhall [mailto:bmunhall () ups com]
Sent: Wednesday, August 20, 2003 6:23 AM
To: security-basics () securityfocus com
Subject: Re: Blocking port 4444 for W32.Blaster.Worm


In-Reply-To:
<OF4867F7BA.C7CC7A58-ON48256D81.000036BA-48256D81.00003EE1 () cityofperth wa.
gov.au>

I have a quick question. If I block 4444 on the firewall or router and a
workstation uses 4444 for web traffic and it is blocked. Will the
workstation lock up or does it just retransmit the traffic on another
port?

Thanks,
Brett
> Received: (qmail 5945 invoked from network); 13 Aug 2003 15:43:21 -0000
> Received: from outgoing2.securityfocus.com (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 13 Aug 2003 15:43:21 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 4D1978F94C; Wed, 13 Aug 2003 09:14:56 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by
ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 12400 invoked from network); 12 Aug 2003 17:56:48 -0000
> In-Reply-To: <000001c36103$a17f5a60$6401a8c0@penguin>
> Subject: RE: Blocking port 4444 for W32.Blaster.Worm
> To: <mike () genxweb net>, <security-basics () securityfocus com>
> X-Mailer: Lotus Notes Release 6.0.1 February 07, 2003
> Message-ID: <OF4867F7BA.C7CC7A58-ON48256D81.000036BA-
48256D81.00003EE1 () cityofperth wa gov au>
> From: Steven_Paice () cityofperth wa gov au
> Date: Wed, 13 Aug 2003 08:03:55 +0800
> X-MIMETrack: Serialize by Router on permail01/CityofPerth(Release 5.0.8
|June 18, 2001) at
> 13/08/2003 08:03:55 AM
> MIME-Version: 1.0
> Content-type: text/plain; charset=us-ascii
>
>
> Thanks for the reply Michael, my post was initially just a query, upon
> further investigation I found that in fact our firewall already blocks
> these ports as you suggested, I just have to implement the deny all
without
> logging.

>                    "Michael

>                    LaSalvia"            To:
<Steven_Paice () cityofperth wa gov au>, <security-
basics () securityfocus com>
>                    <mike@genxweb.
cc:

>                    net>                 Subject:     RE: Blocking port
4444 for W32.Blaster.Worm
>

>
13/08/2003

>                    02:57
AM

>                    Please
respond

>                    to
mike

>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Why would you have that port open any way on your firewall. A
> firewall should be explicit deny all unless there is a need to have
> that port open. I don't know many people that have port 4444 open for
> any reason. I can say that because I deal with many large companies
> firewalls.
>
> Not only should you have 4444 blocked you should have a NetBIOS block
> rule that is a deny all without logging (cause it will fill the log
> files fast if you did do logging.)
>
> - -----Original Message-----
> From: Steven_Paice () cityofperth wa gov au
> [mailto:Steven_Paice () cityofperth wa gov au]
> Sent: Monday, August 11, 2003 10:57 PM
> To: security-basics () securityfocus com
> Subject: Blocking port 4444 for W32.Blaster.Worm
>
> Hi all,
>
> I have just been reading up on the Blaster Worm, and Symantec suggest
> blocking TCP port 4444 at the firewall level; I was wondering if
> anyone has
> implemented this yet and if so, if they have any feedback on the
> results
> regarding performance, risks etc.
>
> Thanks in advance
>
> Steven Paice
>
>
> - ----------------------------------------------------------------------
> - -----
> - ----------------------------------------------------------------------
> - ------
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPzk4p3AnVb+gRdsVEQJemwCgtK+9kR5BcMiKN7Kn7ThmabZ/WAgAoJ8j
> NkYW182RebTFiQ6OwkZxX1B0
> =dG7W
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
> -------------------------------------------------------------------------
-
-
> -------------------------------------------------------------------------
-
--
>

--------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--

Attachment: smime.p7s
Description: