NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.
For example: grc.com/su-techzone1.htm
scott
----- Original Message Follows -----
NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.
I'm not nearly confident enough to decide on behalf of almost
billion other people how they should benefit from the Internet
and how not to.
There are real solutions to the problem, which include monitoring
the end-user traffic and do traffic steering for infected hosts
to a web page thats helps solving their problem.
I'm not nearly confident enough to decide on behalf of almost
billion other people how they should benefit from the Internet
and how not to.
thanks for that!
There are real solutions to the problem, which include monitoring
the end-user traffic and do traffic steering for infected hosts
to a web page thats helps solving their problem.
for we who are under-clued, do you have a url for suggested tools and
procedures?
thanks!
randy
www.rommon.com, I'm confident there are others. And some people
are using home-baked solutions.
Probably plethora (and money) will be one of the bigger problems when
deciding to implement this kind of solution.
NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.
rule #1: do not be the Internet's Firewall
rule #2: see rule #1
a leaf network can make any decisions they want on traffic filtering,
large ISP's should probably not do this as there are invariably people out
there that will want SNMP/ICMP/NetBIOS/SQL-NameService to work over their
WAN link(S). I recall some 'fun' with this issue on:
1) slammer worm (ms has a developers thingy that REQUIRES 1434 to work
over the internet)
2) welchia/nachi - how can I ping monitor my remote sites?
ymmv.
Chris,
This isn't directed at you, just adding my 2 cents to the thread ...
NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.rule #1: do not be the Internet's Firewall
rule #2: see rule #1
That should definitely be on a T-shirt. 
a leaf network can make any decisions they want on traffic filtering,
large ISP's should probably not do this as there are invariably people out
there that will want SNMP/ICMP/NetBIOS/SQL-NameService to work over their
WAN link(S). I recall some 'fun' with this issue on:1) slammer worm (ms has a developers thingy that REQUIRES 1434 to work
over the internet)
2) welchia/nachi - how can I ping monitor my remote sites?ymmv.
Leaf network filtering (or not) is largely solved. Keep in mind, some SP's sell "Managed Security Services," which may be PE- or CE-based firewalls, but run by the SP on behalf of the customer. If the customer cares enough, then ask and/or pay the SP to block the traffic they don't want, only on their access circuit(s). Presumably, the SP will figure out a model for the service to both instantiate and maintain the filter(s) as well as recoup costs for backhauled bits that get dropped at, or near, the doorstep of the CE. (Note, the word "model" could mean an additional charge above & beyond basic access or it may be included as part of basic access -- it all depends on how much work, sophistication in filtering, etc. occurs as well as what the market can bear).
In this case, one size (a.k.a.: filtering) does not (easily) fit all ...
-shane
Ahem. 
If this was a "solved" problem, we'd not be having a thread about a zotob worm.
There's a *very* large gap between "the clued know of a range of suitable
solutions" and "the great unwashed have deployed appropriate solutions".
thank you.
though http://www.rommon.com/sandbox.html looks to be a
commercial product (and hence the spawn of evil:-), has
anyone got success/failure stories? it looks to speak
directly to this issue.
randy
Well,
I guess blocking is a good idea. That is why censoring was invented in the
first place.
Blocking port 25, Simple Mail Transfer,
makes sense. If nobody can send emails then nobody can send spam. Ok let us
block port 25 provocatively.
Blocking port 137, NETBIOS Name Service,
ok I am running linux. I dont need NETBIOS. I think it makes sense keeping
windows out of the internet. Without windows there is no spam, no virus,
no worm. Yes, let us block.
Blocking port 138, NETBIOS Datagram Service,
see above. Block it!
Blocking port 139, NETBIOS Session Service,
see above. Who needs windows? It is a security risk in the first place.
Blocking port 445, Microsoft-DS,
if it is from Microsoft it is always good blocking it.
I have forgotten port 80, World Wide Web HTTP, and port 53, Domain Name
Server. I know for shure windows does use them. Lets block them! Without
poisoned homepages you cannot be tricked to download vermin in the
first place. So it is a very good idea to block port 80.
Without DNS viruses might have difficulties finding their seed servers.
Yes it is a MUST. We absolutely must block port 53
Firewall rules
Christopher L. Morrow wrote:
NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.rule #1: do not be the Internet's Firewall
rule #2: see rule #1
Surely we realize that this discussion is not concerning the oft repeated "Internet's Firewall" debate.
Its about containing a potential worm/virus outbreak. Call it a network wide quarantine.
The damages inflicted by worms/viruses in the past that we have all seen and are still coping with (C&C reports anyone?) are well known.
This is network self preservation. Otherwise the garbage will eventually suffocate us all.
Apples and oranges.
Joe Maimon wrote:
This is network self preservation. Otherwise the garbage will eventually suffocate us all.
It's like cancer initially was treated with drugs and equipment which did serious damage to the whole body, killing many in the process and today the methods are much more targeted to the actual bad tissue while minimizing collateral damage.
Port blocking is like cancer treatment from the 1980's.
Pete
and again I point to the above rules. What your network can't handle
'scanning wise' is completely different from what the network I work on
can handle.
If your network is being jeopardized by some level of scanning they fix
that, but that is a local decision. Blindly stating "large isps filter
port X" is just disingenuous, there are certainly cases as exceptions,
most of which end with the ISP in question saying: "Wow that was a lot
more painful than we thought originally:("
The sky is falling, or never mind. AV vendor press releases are always
amusing to read.
http://news.com.com/Zotob+worm+finds+its+path+limited/2100-7349_3-5833777.html?tag=nefd.top
As of Monday morning on the West Coast, the original Zotob.A had
infected about 50 computers worldwide, and the first variant, Zotob.B,
had compromised about 1,000 systems, the antivirus software maker
said.
and again I point to the above rules. What your network can't handle
'scanning wise' is completely different from what the network I work on
can handle.If your network is being jeopardized by some level of scanning they fix
that, but that is a local decision. Blindly stating "large isps filter
port X" is just disingenuous, there are certainly cases as exceptions,
most of which end with the ISP in question saying: "Wow that was a lot
more painful than we thought originally:("
I've been following the "don't be the Internet's firewall" thing, but I lost you now.
Quarantine works. Sorry, it does.
If your network can handle everything, that's great.
I have seen cases where people blocked entire countries for mitigation purposes, not to mention entire ISP's. Is that wise and/or good?
It worked for them for the time.
The point is reacting to a given situation. A reason not to do something would NOT be "because then people will not patch". I am sorry.
Nobody is arguing that the philosophy is bad. We even agree with you.
Where I strongly disagree is canceling this method out on ANY level, because that's just plain wrong.
It's simple, it works, and yesterday it worked for several "big ISP's". Would these ISP's generally block port 445? How is that relevant?
They just prevented their entire user-base from getting infected and their network from being DDoS'd and soon after becoming a DDoS source, by going the KISS way and reacting.
Gadi.
Surely we realize that this discussion is not concerning the oft
repeated "Internet's Firewall" debate.
Its about containing a potential worm/virus outbreak. Call it a network
wide quarantine.
surely you realize that this discussion is not about civil rights
and the constitution, but about combatting terrorists.
randy
Randy Bush wrote:
Surely we realize that this discussion is not concerning the oft repeated "Internet's Firewall" debate.
Its about containing a potential worm/virus outbreak. Call it a network wide quarantine.surely you realize that this discussion is not about civil rights
and the constitution, but about combatting terrorists.
To a level, it is.
Is combating terrorists bad? No one here would say no. Then it starts getting complicated when you discuss the HOW.
Over-protecting by first saying "no" because you fear potential "how's" is silly.
Fearing the HOW itself is legitimate.
Not every block is a censor, m'kay? Some censors are good - do you want to see kiddie porn on TV? Let us not make this a freedom of speech argument and go back to network issues.
You have say, 35K clients who will get infected in the next 2 days if you don't block port 445. Are you going to block it or are you going to let them get infected and infect others?
That or I am missing something.
Gadi.
NetBIOS was never meant to be a WAN protocol, so no problem
in blocking it.
445/TCP is not NetBIOS! Some people even call the protocol the
"Common Internet File System".
Randy Bush wrote:
>>Surely we realize that this discussion is not concerning the oft
>>repeated "Internet's Firewall" debate.
>>Its about containing a potential worm/virus outbreak. Call it a network
>>wide quarantine.
>
>
> surely you realize that this discussion is not about civil rights
> and the constitution, but about combatting terrorists.To a level, it is.
Is combating terrorists bad? No one here would say no. Then it starts
getting complicated when you discuss the HOW.Over-protecting by first saying "no" because you fear potential "how's"
is silly.Fearing the HOW itself is legitimate.
Not every block is a censor, m'kay? Some censors are good - do you want
to see kiddie porn on TV? Let us not make this a freedom of speech
argument and go back to network issues.You have say, 35K clients who will get infected in the next 2 days if
you don't block port 445. Are you going to block it or are you going to
let them get infected and infect others?
What if you are a transit provider that serves ebay, yahoo, and/or
google and the worm is propogating over TCP port 80? If they have
sufficient bandwidth and security mechinisms to protect themselves I
can guarantee you that those enterprise customers would not want their
upstream provider unilaterally dropping the traffic. I recognise that
the service we are talking about here is typically used in file
sharing but people may even be using 445 for different services (as
silly as it sounds).
Where will the filtering end? Is your NSP/ISP responsible for
filtering virii, spam, phishing? I'm not saying it wouldn't be nice,
but considering the types of attacks we see coupled with the fact that
many enterprise customers are service providers themselves, providing
service to yet other service providers, it is very difficult to take
their decission making power away.
[...]
surely you realize that this discussion is not about civil rights
and the constitution, but about combatting terrorists.
And we have always been at war with Eastasia.