RE: Blocking MS Blaster

[Dave Killion <Dkillion () netscreen com>]

I'd say that's overkill, but overkill never hurt anything.

You really only need 135 blocked inbound to prevent msblast, but all of
those ports you've closed need to be closed for other reasons.  Really,
all ports inbound should be blocked, except for those specific services
you serve (and those ports monitored and servers kept patched).

You have 2 ports for msblast backwards, however - both 69 and 4444 are not
inet-lan, but lan-inet.  Once infected, the worm uses those ports to go
*out*.  If you get hits on those rules, something very bad has happened.

Good luck!

Dave Killion
Senior Security Engineer
Security Group, NetScreen Technologies, Inc.



-----Original Message-----
From: arnaud DUPUIS [mailto:arno.dupuis () wanadoo fr]
Sent: Thursday, August 14, 2003 9:38 AM
To: fw-wizz
Subject: [fw-wiz] Blocking MS Blaster


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,
I would like to know how did you have try to block the MS Blaster worm ?
Personnaly I've had those line to my Netfilter's script :
echo "* Protection against MS Blaster"
${FW} -A inet-lan -p tcp -m multiport --dports
135,137,139,445,593,69,4444 -j
DROP
${FW} -A inet-lan -p udp -m multiport --dports
135,137,139,445,593,69,4444 -j
DROP
${FW} -A lan-inet -p tcp -m multiport --dports
135,137,139,445,593,69,4444 -j
DROP
${FW} -A lan-inet -p udp -m multiport --dports
135,137,139,445,593,69,4444 -j
DROP

My firewall is base on a Slackware Linux with grsecurity patch (kernel
2.4.20).
Have you a better solution ?

Greetz and regards
Arnaud
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/O7roNG3DWex93LoRAjCiAJ9Aj6gL+aoK4J+1gvVHzz+85MZn3ACfbQ/g
Zv5tifEWPRXdbelgz9gBokw=
=OgLX
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: smime.p7s
Description: