RE: RPC errors

Mark_Segal · August 11, 2003, 10:32pm

I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls..... Anyone else see this?
Did I break anything legitimate?

Also I still some Slammer traffic..

Mark

Jack_Bates · August 11, 2003, 10:43pm

Mark Segal wrote:

I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls..... Anyone else see this?
Did I break anything legitimate?

There is legitimate use for 135, although normally it is not used in the wild much. From what I can see, the 10% traffic mark is about average and should mostly be infected systems. I've seen some tight-in network scans from one of my networks to the others (within the same /18). Still monitoring loads before I decide to crank in lists between networks to limit cross infection. Tomorrow starts the fun... EU contact.

I plan to open up inbound first and let user's get infected, tracking and purifying my network for about a week, perhaps two. Then I'll reopen the network for full traffic if it looks clean enough. Emergency "Good Neighbor" policy.

-Jack

Bandy_Rush1 · August 11, 2003, 11:52pm

must be fun out there on the net today. one minute of counter
accumulation

    deny tcp any any eq 135 (5721 matches)
    deny tcp any any eq 137
    deny tcp any any eq 138
    deny tcp any any eq 139 (17 matches)
    deny tcp any any eq 445 (1137 matches)

randy

John_Palmer1 · August 12, 2003, 12:27am

45 seconds:

    deny tcp any any eq 135 (5445 matches)
    deny tcp any any eq 137
    deny tcp any any eq 138
    deny tcp any any eq 139
    deny tcp any any eq 445 (207 matches)

Jim_Shankland1 · August 12, 2003, 12:59am

On the bright side, when double-checking the firewall on my home cable
modem setup, it appears that Comcast here in the SF Bay Area has
started filtering out incoming port 135 SYN packets -- they get
dropped before they hit my firewall. Thanks, Comcast!

On the not so bright side, I'm getting a steady stream of port 135
SYNs from my fellow Comcast customers (i.e., presumably on my side
of Comcast's filters), which may mean the horses have mostly already
left the barn.

Jim Shankland

Jack_Bates · August 12, 2003, 3:24pm

Jim Shankland wrote:

On the not so bright side, I'm getting a steady stream of port 135
SYNs from my fellow Comcast customers (i.e., presumably on my side
of Comcast's filters), which may mean the horses have mostly already
left the barn.

You'll see a lot of this. Establishing blocks in the local networks is more time consuming than it's worth. Blocks are usually only in place temporarily while other business practices are carried out; as any good neighbor tries not to harrass fellow networks. Once decontamination starts and users are fixed or suspended from service, blocks will usually be removed and the world goes back to normal.

My own network has a two week deadline, although I'm gunning for being done this week.

-Jack