|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP for ISP to block worms at PEs and NAS
On Sun, 17 Apr 2005, Christopher L. Morrow wrote: > one approach might be radius installed filters? some contract language to > allow 'customers' to request standard templated filters at little/no-extra > cost to them. Allow them to make the decision to filter themselves (where > 'themselves' may be a dial reseller, of course). Making them responsible > means when odd-application-12 comes along to utilize tcp/135 you won't > have to poke spot holes through your filters to permit this access. Microsoft (the company that cares about security) has already done that for you by implementing RPC-over-HTTP complete with the same vulnerabilities as RPC-over-135. The sad thing is the number of computers using RPC/Netbios outnumbers the number of computers using SSH. Most former @Home cable providers have blocked various rpc/netbios (network neighborhood) ports for years because people used to be able to see their neighbor's computers in the Windows rpc/netbios browser. You probably want to be a bit careful, because some people use remote Exchange/Outlook which uses RPC. Ephemeral ports can be used by anything, although in practice they are not randomly distributed. Programmers are humans, and they tend to have favorites and those favorites are exploited by attackers. If we lived in a perfect world, everything would be perfect. But we live in a world were 300 million computers do stupid things and Microsoft sells over 10 million new Windows licenses a month. On the other hand, the number of people who actually want to use RPC over the Internet is a very small number. Is it more practical for the few people who want to use RPC over the Internet to make special arrangements; or to keep millions of computers at risk? A few other comments. Port 136 is not used by Microsoft. Port 5554 is probably too specific to a single worm, which is on the decline.
|