Cox → Re: Microsoft Windows RPC/DCOM vulnerability

Why is does it seem that the default response is always to block a port? What about disconnecting users running unpatched systems? A backward approach, from my POV.

said by No_Strings:

---

Why is does it seem that the default response is always to block a port? What about disconnecting users running unpatched systems? A backward approach, from my POV.

---

Mainly because MsBlast propogates so fast. The most effective way to stop an intruder is to lock the door. FMPOV.

said by No_Strings:

---

Why is does it seem that the default response is always to block a port? What about disconnecting users running unpatched systems? A backward approach, from my POV.

---

Because they would have to disconnect probably 95% of their users. Most people barely know enough to get onto the internet and send e-mail, let alone know how to secure their own computers. I have been getting hit all day, all different COX IP's, there is no way they could shut them all down.

Nimda and Code Red - block 80 vs shut down the offenders. Spam - block 25 vs use smtpauth. MSinsecurity of the week - block another one or two or three. If someone breaks into my house, should I mine the road? Put up a barricade? I can't get to work or the grocery store, but I'm safe, right? I know I'm taking an extreme position, but we're not punishing the offenders. We're simply applying a (very temporary) Band-Aid to the problem. This is simply not a sustainable strategy.

said by No_Strings:

---

Why is does it seem that the default response is always to block a port? What about disconnecting users running unpatched systems? A backward approach, from my POV.

---

Unfortunately there are so many systems on the network vulnerable to this bug that it would literally take years to disconnect them all. We found around 120,000 vulnerable customers in our scans last week, and that's just the people who had their computers turned on at scan time. We believe the actual number is over 250,000.

We have a lot of work ahead of us in the next few weeks, but we're doing our best to get the network back to normal as quickly as possible, and we appreciate your patience.

you know on something this bad maybe cox should send out a system wide email notice pointing out the problem to the n00bs and how to fix it.

Lets look at it from this side

Read this thread and see what happens when nothing is done... Comcast
»Comcast Down Nationally?

or OOL

»pc rebooting? port 135 scans on the rise

or Aldelphia

»PLEASE READ IF YOU USE WINDOWS XP

All have the same issues and some had the port blocked and some not like Comcast (wonder if that is why the entire Network was down)

Port blocking is a valid security measure that must be done and we have to adapt to it
Edward

said by BBR_InsUW:

---

All have the same issues and some had the port blocked and some not like Comcast (wonder if that is why the entire Network was down)

---

Ummm, that's a rhetorical question, right?
We know that's why they went down.
Rumor is that as of today the FCC requires these ports to be blocked.

From Steve Gibson:
"During a morning meeting at our local COX cable provider,
it was revealed that the FCC has instructed COX to block
all traffic through ports 135 and 445."

Short term fix, maybe. But don't you agree that it is not a sustainable approach? What if the next gaping hole exploit is on the port you use to connect to work? I'm not blaming Cox for Microsoft's issues (amazingly, there are folks lining up to defend Microsoft over this) or lazy users or sys admins, but at some point you run out of ports to block. Had an expulsion precedent been set with earlier worms, maybe folks would have been more vigilant. Maybe.

Gibson...uPnP is the end of the world as we know it.

said by No_Strings:

---

Why is does it seem that the default response is always to block a port? What about disconnecting users running unpatched systems? A backward approach, from my POV.

---

I personally would prefer them to block the port than to remove the user. My personal reasoning for this is that I have 5 systems in my network of 500 for my company that were patched current, had current av signatures and they still got hit. There is a percentage of systems that the patch indicated it is installed, when in fact, the dll's haven't really been updated. This has been confirmed by many other network admins per the bugtraq and various other mailing lists.

Michael,
Scary that the patch didn't "take." How do you fix it, then? Complete reload, or can you re-apply?

Deafcon22,
Yesterday, I could surf to sites recently visited but not to net new locations (DSLR was, of course, in the cache) nor could I ping via domain name. Systems that had been rebooted could not surf at all. I could not ping my Cox DNS servers by IP. From all of that, I assumed that there was a DNS issue for a couple of hours - at least here.

flex0r,
Two co-workers running W2K are cleaning up this morning after getting hit yesterday. Not a scientific survey, but I'd assume the worst.

said by BillRoland:

---

Gibson...uPnP is the end of the world as we know it.

---

You know, I can't find anything other than the Homeland Security advisory, he may have overstated the facts.
Too late to edit.

I talked to some folks in the local office, they said that Mr. Gibson's statement was pretty much "bull."