[59270] in North American Network Operators' Group
Re: ISPs are asked to block yet another port
daemon@ATHENA.MIT.EDU (Tony Rall)
Mon Jun 23 02:17:56 2003
In-Reply-To: <Pine.GSO.4.44.0306230153120.22857-100000@clifden.donelan.com>
To: nanog@merit.edu
From: Tony Rall <trall@almaden.ibm.com>
Date: Mon, 23 Jun 2003 00:16:50 -0600
Errors-To: owner-nanog-outgoing@merit.edu
On Monday, 2003-06-23 at 01:59 AST, Sean Donelan <sean@donelan.com> wrote:
> http://www.lurhq.com/popup_spam.html
>
> "LURHQ Corporation has observed traffic to large blocks of IP addresses
on
> udp port 1026. This traffic started around June 18, 2003 and has been
> constant since that time. LURHQ analysts have determined that the source
> of the traffic is spammers who have discovered that the Windows
Messenger
> service listens for connections on port 1026 as well as the more
> widely-known port 135. Windows Messenger has been a target for spammers
> since late last year, because it allows anonymous pop-up messages to be
> displayed on any Windows system running the messenger service. Due to
> widespread abuse, many ISPs have moved to block inbound traffic on udp
> port 135. It appears the spammers have adapted, so ISPs are urged to
block
> udp port 1026 inbound as well."
>
>
> How many ports should ISPs block? People still buy and connect insecure
> computers to the net.
Good point. In this case, stateless blocking of traffic to 1026/udp will
block several per cent of the responses to dns queries (in addition to
substantial other legitimate traffic). This is a denial of service for
your own customers.
Tony Rall
