Home page logo

nanog logo nanog mailing list archives

Re: ISPs are asked to block yet another port
From: Tony Rall <trall () almaden ibm com>
Date: Mon, 23 Jun 2003 00:16:50 -0600

On Monday, 2003-06-23 at 01:59 AST, Sean Donelan <sean () donelan com> wrote:

"LURHQ Corporation has observed traffic to large blocks of IP addresses 
udp port 1026. This traffic started around June 18, 2003 and has been
constant since that time. LURHQ analysts have determined that the source
of the traffic is spammers who have discovered that the Windows 
service listens for connections on port 1026 as well as the more
widely-known port 135. Windows Messenger has been a target for spammers
since late last year, because it allows anonymous pop-up messages to be
displayed on any Windows system running the messenger service. Due to
widespread abuse, many ISPs have moved to block inbound traffic on udp
port 135. It appears the spammers have adapted, so ISPs are urged to 
udp port 1026 inbound as well."

How many ports should ISPs block?  People still buy and connect insecure
computers to the net.

Good point.  In this case, stateless blocking of traffic to 1026/udp will 
block several per cent of the responses to dns queries (in addition to 
substantial other legitimate traffic).  This is a denial of service for 
your own customers.

Tony Rall

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]