[31580] in North American Network Operators' Group
Re: Port 139 scans
daemon@ATHENA.MIT.EDU (John Fraizer)
Fri Sep 29 15:15:27 2000
Date: Fri, 29 Sep 2000 15:13:28 -0400 (EDT)
From: John Fraizer <nanog@EnterZone.Net>
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0009271425140.10543-100000@Overkill.EnterZone.Net>
Message-ID: <Pine.LNX.4.21.0009291458260.2910-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
OK. This thing must be spreading like mad! We're taking several attempts
per second.
It might be a good idea to implement filtering on the borders for TCP SYN
from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's
installed.
I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders
without breaking tons of winblows customers. It sure would be nice
though. Especially considering the scope of things and how fast it's
spreading.
I believe we've seen this thing on a "test run" in the past few weeks.
It took out a fairly good sized regional provider four days in a row.
I'm talking DOWN HARD border to border. All indications are that the
controlling party turned the infected machines into kamakazis and had them
ping smurf amps. Since the resulting flood of ICMP echo-reply traffic was
targeted at machines all over this providers network on customer pipes
ranging from 64K to 155M, it was nearly impossible to diagnose. One
minute, everything was fine. Next minute, nothing. It was just dead.
Anyone else have any thoughts on damage control here?
---
John Fraizer
EnterZone, Inc
