Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| Still think No Firewall/No ISP Port Blocking?
I really, really hate it when I'm right about this sort of thing. I'm sure all the rest of those who believe as I do likewise don't like being right about this sort of thing.
But for those who don't believe ISP's should be filtering known dangerous ports such as TCP135, and for those who think that Personal firewalls are useless when you update your computer, I offer today's events... which seem to be only the beginning. Maybe this is a huge wake-up call... whether or not it's supposed to be, I hope it ends up serving as such. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| Although I know to what you're referring, it might be valuable to post a link or so so that others who don't can follow your line of thinking.
--
JKK Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH | You are right... I don't tend to like linking... no reason, I just don't! So I don't think of it, I suppose.
Anyway, here goes!
»More RPC/TFTP malware, this time local |
|
sig
Premium
join:2001-05-05
| reply to Marilla
Comcast (and the former ATTBI) filters the NetBIOS ports but not 135, according to what I've seen in the past at least. (Needless to say I won't be dropping my shields to check on it today.  )
[text was edited by author 2003-08-11 18:52:19] |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to Marilla
said by Marilla  :
Maybe this is a huge wake-up call... whether or not it's supposed to be, I hope it ends up serving as such.
Maybe the nth time is the charm, but who knows if this is the nth time...I hope you're right and something new is done.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| reply to Marilla
I have a similar viewpoint to Marilla. Of course, nobody appreciates an "I told you so" after the fact. But, when you tell people beforehand what they should do, a large number want to argue about it, or else they just ignore the advice because it's inconvenient. Microsoft deserves blame for vulnerabilities and default settings that accentuate those vulnerabilities, but the severity of these exploits is made far worse because of user arrogance or laziness.
My pet peeve with these current RPC exploits is that many people were accidentally made aware of holes in their system (especially port 135) because of Messenger Service spam. Every time a system displayed such spam, it was a wake-up call to the user that port 135 (and most likely other ports) were open to the internet. In thread after thread, people who complained about the spam were told that they should install a firewall (in addition to disabling the service) to close those open ports. Yet in the vast majority of cases, users opted to just turn off the Messenger Service and go on their merry way. Treat the symptom and ignore the fundamental problem ... and pay for it later. |
|
makaze6
join:2002-01-04
| reply to sig
said by sig :
Comcast (and the former ATTBI) filters the NetBIOS ports but not 135, according to what I've seen in the past at least. (Needless to say I won't be dropping my shields to check on it today. )
[text was edited by author 2003-08-11 18:52:19]
i heard that's gonna be a changing..... |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| reply to Reverend Ike
said by Reverend Ike :
In thread after thread, people who complained about the spam were told that they should install a firewall (in addition to disabling the service) to close those open ports. Yet in the vast majority of cases, users opted to just turn off the Messenger Service and go on their merry way. Treat the symptom and ignore the fundamental problem ... and pay for it later.
In defense of many users, getting a firewall can be done, but many do not have the skills to know how to disable the services that are running. (Many aren't even aware there are services that should/could be closed, but that is the MS issue you mention re: defaults.) Yes, there are some programs one can install to help, but there are other services that are not so easy for the average "Joe Blow computer user" to know how to manage, and even getting the right programs to help are not always so obvious. Many people who were made aware of these holes did turn off the Messenger Service which is great. It's the processes beyond that that can be the problem and I will say this over and over; learning how to use a computer and hooking up to the Internet needs to be an ongoing education, even from the places that sell the systems. People have got to understand that they cannot just connect and take it from there, but they don't.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ
| reply to Marilla
said by Marilla :
I really, really hate it when I'm right about this sort of thing. I'm sure all the rest of those who believe as I do likewise don't like being right about this sort of thing.
But for those who don't believe ISP's should be filtering known dangerous ports such as TCP135, and for those who think that Personal firewalls are useless when you update your computer, I offer today's events... which seem to be only the beginning. Maybe this is a huge wake-up call... whether or not it's supposed to be, I hope it ends up serving as such.
Some one of these days Microsoft is going to get it right and provide an OS that is setup secure out of the box. a lot of these services DONT NEED TO BE RUNNING on consumer level boxes. if something dont work the user should RTFM if he/she wants to turn on a certain service.
--
You can never be too rich, too thin or have too much Bandwidth |
|
lionelgroulx
join:2001-11-27
Chicago, IL
| reply to Marilla
said by Marilla :
But for those who don't believe ISP's should be filtering known dangerous ports such as TCP135, and for those who think that Personal firewalls are useless when you update your computer, I offer today's events... which seem to be only the beginning. Maybe this is a huge wake-up call... whether or not it's supposed to be, I hope it ends up serving as such.
So ISP/NSPs need to be the firewalls of the Internet? There are legitimate uses of 135/TCP.
So if a Sendmail exploit comes out, better filter out 25/TCP huh?
--
L2TP is for losers |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| There are legitimate uses of port 135, but NOT secure, legitimate uses that don't have MUCH better alternatives - over the internet.
As millions of people - including those like myself who have every single system under their control protected - are unable to connect to Windows Update at all because millions of systems around the world are slamming Windowsupdate.com... tell me again what legitimate uses there are...
And actually, yeah.. I WOULD recommend blocking port 25 IN to consumer-level connections, now that you mention it... I think we'd find a lot less untraceable spam if we did.
Either that, or YOU come up with some solution to the millions upon millions of novice computer users who dont' have the slightest clue how to install firewalls and use them properly... I'm offering at solution, even if it's a temporary one.. what are you offering? |
|
3SGTE
ST215W
Premium,MVM
join:2000-11-23
there
clubs:
| reply to sig
said by sig :
Comcast (and the former ATTBI) filters the NetBIOS ports but not 135, according to what I've seen in the past at least. (Needless to say I won't be dropping my shields to check on it today. )
I am a bit confused.
I thought netbios/135 were the same thing.
Link to thread in the Cogeco forum: (note same link as in other thread) »Cogeco
--
Don't Feed the Trolls----Click 'Hey mods' instead!:) |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| NetBIOS is a network protocol that can use various ports. Many peopla associate port TCP 135 with NetBIOS, but I believe strictly speaking, this is incorrect. It IS, however, associated with Microsoft networked computers.
TCP 135 is used by RPC/DCOM on Windows NT/2K/XP/2K3 systems, which really isn't part of NetBIOS/SMB/CIFS... but they are both common things you'll find on Windows computers nowadays. |
|
3SGTE
ST215W
Premium,MVM
join:2000-11-23
there
clubs:
| said by Marilla :
NetBIOS is a network protocol that can use various ports. Many peopla associate port TCP 135 with NetBIOS, but I believe strictly speaking, this is incorrect. It IS, however, associated with Microsoft networked computers.
TCP 135 is used by RPC/DCOM on Windows NT/2K/XP/2K3 systems, which really isn't part of NetBIOS/SMB/CIFS... but they are both common things you'll find on Windows computers nowadays.
With regards to this virus, My ISP claims to filter netbios.
Does that protect me? It seems from your answer that there would be a distinction between filtering netbios and just blocking the port as advocated here.
Sorry if the question seems simple, I appreciate learning so that I can make the proper distinctions.
--
Don't Feed the Trolls----Click 'Hey mods' instead!:) |
|
lionelgroulx
join:2001-11-27
Chicago, IL
| reply to Marilla
said by Marilla :
There are legitimate uses of port 135, but NOT secure, legitimate uses that don't have MUCH better alternatives - over the internet.
As millions of people - including those like myself who have every single system under their control protected - are unable to connect to Windows Update at all because millions of systems around the world are slamming Windowsupdate.com... tell me again what legitimate uses there are...
And actually, yeah.. I WOULD recommend blocking port 25 IN to consumer-level connections, now that you mention it... I think we'd find a lot less untraceable spam if we did.
Either that, or YOU come up with some solution to the millions upon millions of novice computer users who dont' have the slightest clue how to install firewalls and use them properly... I'm offering at solution, even if it's a temporary one.. what are you offering?
Perhaps Microsoft should of had a better distribution system of the patch ahead of time. It's not like this is the first time they had to release a patch for a massive vulnerability before.
I gave SMTP as an example, but filtering can be to any other popular port. I agree, most customers do not need SMTP open, but there should be some documentation that this is being done when you sign up with a provider.
Perhaps when some network equipment vendors can make equipment that filters TCP/UDP ports without cutting performance, you might actually see more filtering out there.
The problem is (sadly) is that 135/TCP is still used for legitimate things.
As for why not to filter...it depends on the worm. Compared to worms in the past, where insane amount of bandwidths were generated (constant streams of UDP vs. 1 TCP connect per second), I'd say this one so far doesn't look too bad. Large networks are not going down and people can still get cash from their ATM machines. I think in emergency situations where the network infrastructure is affected, it warrants the use of placing ACLs in an ISP/NSP network.
People pay ISP/NSPs for Transit, access to the Internet. The more filtered things are, you might as well be using AOL.
And of course...MS needs to start looking at attempting to make their boxes as secure as they can (ha) out of the box on a default install.
--
L2TP is for losers |
|
3SGTE
ST215W
Premium,MVM
join:2000-11-23
there
clubs:
| said by lionelgroulx :
Perhaps Microsoft should of had a better distribution system of the patch ahead of time. It's not like this is the first time they had to release a patch for a massive vulnerability before.
Someone could modify this worm to have the patch as the payload.
--
Don't Feed the Trolls----Click 'Hey mods' instead!:) |
|
Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| reply to jaykaykay
JKK - I wasn't trying to pick on those who don't know the intricacies of their operating system, but those who are given advice (with explanations) and then purposely ignore that advice.
The typical Messenger Service spam thread would go like this:
Original Poster: How do I get rid of this spam?
Poster #2 (and others): Disable the Messenger Service (specific instructions are then given).
Poster #3: You really should install a firewall - if you are getting this spam it means you have ports open to the internet, and you could be victimized by something more serious in the future.
Last Reply From Original Poster: Well, I disabled the Messenger Service just like Poster #2 told me and the spam is gone, so that's good enough for me.
Alternate Last Reply: Well, I had a firewall, but it didn't stop the spam.
(Meaning the firewall was misconfigured, but even when this is explained, the OP still can't be bothered to reinstall it).
Another Alternate Last Reply: Well, I can't have a firewall, because it interferes with my gaming (or some other excuse).
(Meaning the firewall is misconfigured, and the user thinks their gaming or whatever is worth the risk of getting infected).
This was repeated endlessly. If those OPs would have subsequently installed a firewall, they would have been protected against these RPC/DCOM exploits, regardless of whether they installed the latest Microsoft patch. I think one of LinkLogger's threads implied that possibly 30%+ of systems have port 135 open to the internet.
All I'm saying is that Messenger Service spam was like an accidental test for the RPC/DCOM exploits, yet most of the spam victims decided to ignore the wake-up call.
[text was edited by author 2003-08-11 20:53:33] |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to lionelgroulx
said by lionelgroulx :
The problem is (sadly) is that 135/TCP is still used for legitimate things.
Still waiting for someone to list a single legitimate, secure, supported purpose for traffic on TCP port 135 to need to traverse an internet, to say nothing of THE Internet.
For those who have set up remote applications that need to use RPC over the Internet (and need the use of the RPC locator to find them) may I very strongly suggest setting up something more secure? Rather.. something secure, at all.. a simple VPN would do nicely. So would using SSH, or just anything that would actually encrypt transmissions, and not leave wide-open a whole set of ports that's been used for nothing but bad things over the Internet.
All the talk about being 'free' to use your connection completely is well and good.. and completely irrelavent. All the talk about Microsoft making secure Operating Systems is wonderful for a theoretical discussion in some appropriate place... but right now peoples' computers around the world are being infected with things that could be prevented by simply blocking one port incoming, by default, on consumer-class internet connections. |
|
lionelgroulx
join:2001-11-27
Chicago, IL
| said by Marilla :
All the talk about being 'free' to use your connection completely is well and good.. and completely irrelavent. All the talk about Microsoft making secure Operating Systems is wonderful for a theoretical discussion in some appropriate place... but right now peoples' computers around the world are being infected with things that could be prevented by simply blocking one port incoming, by default, on consumer-class internet connections.
So the ISP/NSP's have the burden of filtering things to customers? Thats not their job. This worm is no where near what would be a serious problem compared to the last worms.
But where do you draw the line? Filter all broadband customers? What about dedicated internet access customers? What if you have someone who needs/wants to use 135/TCP, do you tell that customer they are SOL?
I'd have a different opinion on this matter if the worm was used as a staging platform for launching dos attacks at specific hosts, being controlled by someone. For right now though, this worm is just an annoyance, and as before, it could of done much, much worse damage.
--
L2TP is for losers |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| That's a rather reactionary response there... Don't bother until something big happens? Pardon, but, isn't it too late then?
This vulnerability probably has the broadest reach of any - in the history of computers. That's quite a grand statement, but I don't think it's too far off the mark.
You still have yet to mention a single legitimate, secure use for port TCP 135 to be open inbound to consumer-level connections that can't easily and much more safely be replaced with a much better solution through a simple VPN.
Where you draw the line is SIMPLE: The people for whom port 135 needs to be blocked (novice computer users) aren't likely to even know what a 'port' is in the first place... so it would be difficult for them to ask for it to be opened. At any rate, though, I think that any 'business' or professional class connection that permits Internet services to be run could perhaps leave all ports open, with the understanding that the customer themselves will take it upon themselves to protect their network.
But quite honestly, the average computer user CANNOT be expected to even understand what's at stake here. Just like when the first cars with catalytic converters came out, and so their gas tank openings were smaller than the ones for regular, leaded gas... sure.. some people would know better, but most wouldn't know any better, and would ignorantly fill their tanks with leaded gas, ruining their converter in the process. Moral of the story: Some people DO need to be protected from themselves - and not just 'stupid' people... but people who devote their time and efforts to places other than being an IS expert. |
|
