Re: ISPs are asked to block yet another port
Security is a lifestyle. People laugh when I say this, do they laugh when you say it? you have to turn it around, insecurity is a lifestyle, before people will skip the polite (because they think you're joking and it isn't funny) or nervous (because they think you're paranoid) laughter. lately i've been thinking about trust and privacy and confidence, and it's really icky how the more digital communications tools we get the less right to control our information experience we have. e-mail is among several things which hasn't further liberated any individuals but which quite a few large companies consider a great boon -- precisely because they can shift costs down into the noise level and stop considering the desireability or usefulness of their outbound messaging. but it's not just e-mail, it's on my phone and on my fax machine and on my SMS PDA and oh what a mess. trustlessness is a lifestyle. -- Paul Vixie
Re: [RE: ISPs are asked to block yet another port]
Christopher L. Morrow [EMAIL PROTECTED] wrote: On Tue, 24 Jun 2003, gml wrote: Security is a lifestyle. People laugh when I say this, do they laugh when you say it? usually they remember a very important event that must be attended to, and assure me that they do believe in security and appreciate what i am saying (as they walk away laughing behind their hands). [cut] Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris it has been my experience that the sky must fall before they (pointy-haired managers) start pointing fingers (at the security minded). then there is a brief period of fear in which things start to get moving...which dwindles into the same [avoidance|excuses] as before. /joshua Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence. - Stephen Hawking -
Re: ISPs are asked to block yet another port
On Tue, 24 Jun 2003, Paul Vixie wrote: Security is a lifestyle. People laugh when I say this, do they laugh when you say it? you have to turn it around, insecurity is a lifestyle, before people will skip the polite (because they think you're joking and it isn't funny) or nervous (because they think you're paranoid) laughter. I'll attempt this in the future :) Though normally I ascribe the laughter to my height... not my paranoia :) lately i've been thinking about trust and privacy and confidence, and it's really icky how the more digital communications tools we get the less right to control our information experience we have. e-mail is among several things which hasn't further liberated any individuals but which quite a few large companies consider a great boon -- precisely because they can shift costs down into the noise level and stop considering the desireability or usefulness of their outbound messaging. but it's not just e-mail, it's on my phone and on my fax machine and on my SMS PDA and oh what a mess. trustlessness is a lifestyle. -- Paul Vixie
ISPs are asked to block yet another port
http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well. How many ports should ISPs block? People still buy and connect insecure computers to the net.
Re: ISPs are asked to block yet another port
On Monday, 2003-06-23 at 01:59 AST, Sean Donelan [EMAIL PROTECTED] wrote: http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well. How many ports should ISPs block? People still buy and connect insecure computers to the net. Good point. In this case, stateless blocking of traffic to 1026/udp will block several per cent of the responses to dns queries (in addition to substantial other legitimate traffic). This is a denial of service for your own customers. Tony Rall
Re: ISPs are asked to block yet another port
The description by LURHQ is misleading. Messenger is an RPC service. Typical pop-up spammers queried 135 (Windows RPC portmapper) to find the port number of the messenger service, then send the message to that port. It turns out that messenger can typically be found on 1026. And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc). Jeff
Re: ISPs are asked to block yet another port
At 2:58 -0400 6/23/03, Jeff Kell wrote: And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc). Jeff It's been a long time since I did any substantial BSD-socket coding, but, back in the day, when you asked for socket 0 in a bind call, the OS would just pick one. The first (unused) one chosen would be 1024, then incrementally pick the next up to some limit where it would then circle around. Most clients (incl. DNS resolvers) would ask for port 0, so, well, y'all can predict the result if you were to filter any of the user space ports. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis+1-703-227-9854 ARIN Research Engineer ...as graceful as a blindfolded bull in a china shop...
Re: ISPs are asked to block yet another port
Sean Donelan wrote: http://www.lurhq.com/popup_spam.html LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. [...] I haven't (yet) seen any scans of port 1026, but looking at my (home) logs I have seen several with a fixed source port of 1026 (destination of 137). Heh. Peter E. Fry
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Sean Donelan wrote: http://www.lurhq.com/popup_spam.html How many ports should ISPs block? People still buy and connect insecure computers to the net. ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :(
Re: ISPs are asked to block yet another port
On Mon, Jun 23, 2003 at 03:59:56PM +, Christopher L. Morrow wrote: On Mon, 23 Jun 2003, Sean Donelan wrote: http://www.lurhq.com/popup_spam.html How many ports should ISPs block? People still buy and connect insecure computers to the net. ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :( I think that many can learn from this. Instead of defaulting with everything enabled, default with the services installed but disabled so they can be easily enabled. This is fairly easy to do and something that has gradually changed in the free UNIX(r) community over the past years. RedHat (for example) no longer enables every possible service by default and requires you to enable these features to protect your machine from being compromised by software you didn't know you had. Not every machine needs to run its own nameserver. While there are some services that are safe(er) to have enabled by default as it improves the usability of the machine, some of these things are just silly to be enabled on consumer (home) machines. I hope all the vendors out there get a clue on this and stop enabling insecure methods of access by default. (eg: telnet) - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: ISPs are asked to block yet another port
[EMAIL PROTECTED] (Christopher L. Morrow) writes: ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems 3) thoughtless reactionism at isp's does little good and sometimes some harm. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using att IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT. so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. -- Paul Vixie
Re: ISPs are asked to block yet another port
On 23 Jun 2003, Paul Vixie wrote: 3) thoughtless reactionism at isp's does little good and sometimes some harm. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless ... so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. We used to provide dial-up ports to a large cut-rate dial provider who I'm not going to name. Their reaction to such games was to send in their radius auth packets data filters to block both outgoing to port 25 and incoming from port 25. There's nothing silly about restricting use of tcp/25 for dial-ups and other dynamics...you just have to do it right to be 100% effective. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Paul Vixie wrote: [EMAIL PROTECTED] (Christopher L. Morrow) writes: ISP's could block all ports and save everyone the hassle of having an Internet (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems 3) thoughtless reactionism at isp's does little good and sometimes some harm. indeed it does... breaking the network with acls often gets me in trouble :) Really, there are always better solutions than mass filtering something like this. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound att's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using att IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT. This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn!
Re: ISPs are asked to block yet another port
Christopher L. Morrow wrote: This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) There is another fix for it. If neither provider allowed spoofing, then the individual couldn't send spoofed packets out one way and allow the syn/ack back via the other. Of course, there are better reasons for spoof protection ingress/egress than a little port 25 traffic. -Jack
Re: ISPs are asked to block yet another port
Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) oh yes. i tried *several* ways to get their attention. however, this kind of activity is so common these days that a noc literally has no choice but to focus their efforts on less common and more damaging things than relayprobing. so i was not shocked that they did not answer me. so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn! that's good news, thanks for sharing it. any schedule for a fix :-) ??
Re: ISPs are asked to block yet another port
On Mon, 23 Jun 2003, Paul Vixie wrote: Its a sucky world sometimes. Perhaps Paul complained to ATT/other-unnamed-provider with logs and such? :) oh yes. i tried *several* ways to get their attention. however, this kind of activity is so common these days that a noc literally has no choice but to focus their efforts on less common and more damaging things than relayprobing. so i was not shocked that they did not answer me. So, for unnamed-provider-X you have a Abuse Ticket number? Perhaps you could send the one you think might apply to me off-list? :) so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn! that's good news, thanks for sharing it. any schedule for a fix :-) ?? I do not know what the timeframe is :( Sorry.
Re: ISPs are asked to block yet another port
* [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Regards, -- Niels. -- The generation of random numbers is Too important to leave to chance
Re: ISPs are asked to block yet another port
On Tue, 24 Jun 2003, Niels Bakker wrote: * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris
RE: ISPs are asked to block yet another port
On Tue, 24 Jun 2003, gml wrote: Security is a lifestyle. People laugh when I say this, do they laugh when you say it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher L. Morrow Sent: Tuesday, June 24, 2003 12:00 AM To: Niels Bakker Cc: [EMAIL PROTECTED] Subject: Re: ISPs are asked to block yet another port On Tue, 24 Jun 2003, Niels Bakker wrote: * [EMAIL PROTECTED] (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..] Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris
