Date: Mon, 21 Oct 2002 07:46:12 -0700 To: uciscc@uci.edu From: Steve Carlyle Subject: Re: [UCISCC] NetBIOS ports to be blocked Nov 5th I look forward to having these ports blocked. Since NACS' network security group implemented the "Top 10 Talkers"[1] list I have discovered numerous machines used as warez[2] sites or to launch DOS[3] attacks. Normally we are not aware a machine that has been compromised until [NACS Network Planning and Security] notifies us. The reason is that there are simply too many computers in research labs and elsewhere we do not have direct control over but are required to support (last estimate was over 600 machines spread across 12 subnets and seven buildings). In addition, the majority of the users do not take sufficient steps to protect their computers. Administrative passwords are usually weak or non-existent and security patches are rarely installed making these machines prized targets for hackers. In a scan of Bio Sci's networks done on Friday, over 90% of the security issues are related to NetBIOS/SMB. If 90% of my external security issues can be resolved by simply blocking NetBIOS at the campus border I'm all for it. If [NACS Network Planning and Security] had not taken the proactive stance of implementing filters at the border to filter out NetBIOS port scans, exploits such as BugBear[4] and SMBDIE[5] could have caused major issues for many of us on campus. I realize that blocking these ports will cause issues for some people and the VPN software may or may not resolve their problems. However, I believe blocking these ports at the border will be as valuable to the CSCs as virus-scanning and SPAM-filtering has been on the MTAs. Steve Carlyle Computer Resources Manager Biological Sciences, UCI ---------------------------------------------------------------------- [1] Top Talkers... a list of top network bandwidth users at UCI which is produced and used by NACS to look for unusual bandwidth usage, such as is generated by Warez sites or DOS attacks (see below). [2] Warez... a term used by software "pirates" to describe software that has been stripped of its copy-protection and made available on the Internet for downloading. This includes copyrighted movies, music, and software programs. [3] DOS... Denial of Service. Any of a number of different attacks which have the specific goal of causing network or computer outage. Your computer, if taken over for the purpose of launching a DOS attack, is referred to as a Zombie. [4] BugBear... aka Tanat, Tanatos, WORM_NATOSTA.A, W32/Bugbear@MM, I-Worm/Keywo, and W32/Bugbear-A. It is a network-aware worm, which spreads initially by sending emails containing attachments and then, once established on a machine, by locating shared Windows resources on your network to which it can copy itself. Note that W32/Bugbear-A tries to copy itself to all types of shared network resource, including printers. Printers cannot become infected, but they will attempt to print out the raw binary data of W32/Bugbear-A's executable code. This usually results in many wasted pages. [5] SMBDIE... aka "Troj/SMBDie-A" may be used to launch DoS (Denial-of-Service) attacks against remote computers by sending a specially crafted SMB request to port 139.