ISPs are asked to block yet another port
http://www.lurhq.com/popup_spam.html "LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well." How many ports should ISPs block? People still buy and connect insecure computers to the net.
On Monday, 2003-06-23 at 01:59 AST, Sean Donelan <sean@donelan.com> wrote:
http://www.lurhq.com/popup_spam.html
"LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. This traffic started around June 18, 2003 and has been constant since that time. LURHQ analysts have determined that the source of the traffic is spammers who have discovered that the Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135. Windows Messenger has been a target for spammers since late last year, because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service. Due to widespread abuse, many ISPs have moved to block inbound traffic on udp port 135. It appears the spammers have adapted, so ISPs are urged to block udp port 1026 inbound as well."
How many ports should ISPs block? People still buy and connect insecure computers to the net.
Good point. In this case, stateless blocking of traffic to 1026/udp will block several per cent of the responses to dns queries (in addition to substantial other legitimate traffic). This is a denial of service for your own customers. Tony Rall
The description by LURHQ is misleading. Messenger is an RPC service. Typical pop-up spammers queried 135 (Windows RPC portmapper) to find the port number of the messenger service, then send the message to that port. It turns out that messenger can "typically" be found on 1026. And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc). Jeff
At 2:58 -0400 6/23/03, Jeff Kell wrote:
And as was noted earlier, unconditionally blocking udp/1026 will cause a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc).
Jeff
It's been a long time since I did any substantial BSD-socket coding, but, back in the day, when you asked for socket 0 in a bind call, the OS would just pick one. The first (unused) one chosen would be 1024, then incrementally pick the next up to some limit where it would then circle around. Most clients (incl. DNS resolvers) would ask for port 0, so, well, y'all can predict the result if you were to filter any of the "user space" ports. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer ...as graceful as a blindfolded bull in a china shop...
Sean Donelan wrote:
http://www.lurhq.com/popup_spam.html
"LURHQ Corporation has observed traffic to large blocks of IP addresses on udp port 1026. [...]
I haven't (yet) seen any scans of port 1026, but looking at my (home) logs I have seen several with a fixed source port of 1026 (destination of 137). Heh. Peter E. Fry
On Mon, 23 Jun 2003, Sean Donelan wrote:
http://www.lurhq.com/popup_spam.html
How many ports should ISPs block? People still buy and connect insecure computers to the net.
ISP's could block all ports and save everyone the hassle of having an Internet.... (I am just kidding of course) Two interesting points though: 1) Spammers adapt 2) default insecure OS installs cause problems Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :(
On Mon, Jun 23, 2003 at 03:59:56PM +0000, Christopher L. Morrow wrote:
On Mon, 23 Jun 2003, Sean Donelan wrote:
http://www.lurhq.com/popup_spam.html
How many ports should ISPs block? People still buy and connect insecure computers to the net.
ISP's could block all ports and save everyone the hassle of having an Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
Not new points, but interesting none-the-less. Spammers have adapted quite quickly and readily to almost all 'fixes' imposed by providers and most default OS installs are insecure still after all this time. With notable exceptions most OS installs are still tailored for closed network installs, lots of never to be used ports listening with old versions of daemon's installed :(
I think that many can learn from this. Instead of defaulting with everything enabled, default with the services installed but disabled so they can be easily enabled. This is fairly easy to do and something that has gradually changed in the free UNIX(r) community over the past years. RedHat (for example) no longer enables every possible service by default and requires you to enable these features to protect your machine from being compromised by software you didn't know you had. Not every machine needs to run its own nameserver. While there are some services that are safe(er) to have enabled by default as it improves the usability of the machine, some of these things are just silly to be enabled on consumer (home) machines. I hope all the vendors out there get a clue on this and stop enabling insecure methods of access by default. (eg: telnet) - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
chris@UU.NET ("Christopher L. Morrow") writes:
ISP's could block all ports and save everyone the hassle of having an Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm. take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound at&t's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using at&t IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT. so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do. -- Paul Vixie
On 23 Jun 2003, Paul Vixie wrote:
3) thoughtless reactionism at isp's does little good and sometimes some harm.
take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound at&t's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless ... so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do.
We used to provide dial-up ports to a large cut-rate dial provider who I'm not going to name. Their reaction to such games was to send in their radius auth packets data filters to block both outgoing to port 25 and incoming from port 25. There's nothing silly about restricting use of tcp/25 for dial-ups and other dynamics...you just have to do it right to be 100% effective. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mon, 23 Jun 2003, Paul Vixie wrote:
chris@UU.NET ("Christopher L. Morrow") writes:
ISP's could block all ports and save everyone the hassle of having an Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
indeed it does... breaking the network with acls often gets me in trouble :) Really, there are always better solutions than mass filtering something like this.
take for example port-25 blocking. i've been getting relayprobed all weekend by someone who gets around outbound at&t's tcp/25 SYN blocking by sending their SYN's through a provider who shall remain nameless (except that chris morrow happens to work there :-)) using at&t IP source addresses. i guess they multihomed their host and bind()'d the outbound socket to one interface even while making sure the routing used a different interface. high rocket science? NOT.
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/<other-unnamed-provider> with logs and such? :)
so if you're going to block tcp/25 SYNs on outbound, please make sure you block SYN/ACK's on input too, or else you just give the spammers a little more work to do instead of a lot more work to do.
Yup, this is in the works also... and yes, someone realized quickly enough that the one-way filtering was dumb. oh well. live and learn!
Christopher L. Morrow wrote:
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix for it, port 25 in and out filtering for radius customers. The 'problem' as I understand it, is that the change would be a contract change so it has to wait for expiration of said contract to be enforced... :( Its a sucky world sometimes. Perhaps Paul complained to ATT/<other-unnamed-provider> with logs and such? :)
There is another fix for it. If neither provider allowed spoofing, then the individual couldn't send spoofed packets out one way and allow the syn/ack back via the other. Of course, there are better reasons for spoof protection ingress/egress than a little port 25 traffic. -Jack
jbates@brightok.net (Jack Bates) writes:
There is another fix for it. If neither provider allowed spoofing, then the individual couldn't send spoofed packets out one way and allow the syn/ack back via the other. Of course, there are better reasons for spoof protection ingress/egress than a little port 25 traffic.
until the larger isp's start writing BCP38 conformance into both their peering agreements AND their customer agreements, we're not going to see any improvements in source address authenticity. see also ICANN SAC004 (http://www.icann.org/committees/security/sac004.txt). -- Paul Vixie
* chris@UU.NET (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..]
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all). I'll post a URL when it becomes available. Regards, -- Niels. -- The generation of random numbers is Too important to leave to chance
On Tue, 24 Jun 2003, Niels Bakker wrote:
* chris@UU.NET (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]: [..]
Two interesting points though:
1) Spammers adapt 2) default insecure OS installs cause problems
Employees of XS4ALL, a Dutch ISP, today held several talks about a variety of subjects for its customers to celebrate its 10th anniversary. One of the talks was about security in general, held by Scott McIntyre. Hopefully he'll have the slides on soon because it was an excellent talk, in which he touched upon several subjects mentioned in this thread (spammers, trojans, viruses, default installations being vulnerable, that port blocking is not a solution at all).
I'll post a URL when it becomes available.
Sweet, too many people just don't take security very seriously :( Its a shame really, security only seems to matter when the sky is falling, its not taken as a daily necessity. -Chris
participants (11)
-
Christopher L. Morrow -
Edward Lewis -
Jack Bates -
Jared Mauch -
Jeff Kell -
jlewis@lewis.org -
Niels Bakker -
Paul Vixie -
Peter E. Fry -
Sean Donelan -
Tony Rall