Web Informant #339, 19 August 2003: Block that port

 

http://strom.com/339.html

 

This column is probably more technical than most, so if that intrudes on your summer doldrums I suggest skipping it and going to the movies and seeing Arnold or Seabiscuit. For those of you that are worried about your networks or don't quite understand what has been happening the past few weeks, let me try to see if I can sort through the sequence of events.

 

Last month, some cretin Out There writes Yet Another Worm called Bl*ster that can infect whole networks at once. That is, whole networks of Windows computers who haven't upgraded their operating system to incorporate the latest security patches from Microsoft. One of the side features of these infections was a planned Denial of Service attack that was supposed to be launched against Microsoft's WindowsUpdate servers this past weekend.

 

Like other worms, it propagates via several Internet-based programs. To alert the user community, various authorities issue dire warnings about how to block the culprit and contain its damage. One of these includes our federal Department of Homeland Security, who issues the following warning at the end of July:

http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm

 

Several broadband network administrators take it upon themselves to cut off from inbound access the three ports recommended by the feds, specifically ports 135, 139, and 445. This breaks several other legitimate applications (including Outlook/Exchange transactions that occur over the public Internet). Several people complain, specifically when they are told the only way to connect to their Exchange servers is to install a VPN, use Outlook Web Access, or upgrade to Exchange 2003 (which isn't yet available). Exchange actually uses a bunch of different ports besides 135, for those of you interested:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;278339

 

Meanwhile, Microsoft notices a coding error in the worm and takes measures to protect itself, specifically putting its Web hosts behind the Akamai caching network and re-pointing the domain name service entry for windowsupdate.com. This protects themselves from a DOS attack, but has an added side curiosity, for those of you who are still with me: Akamai runs on Linux, so Netcraft (the folks that keep track of this stuff) report that Microsoft is currently running their Web site on IIS on top of Linux:

http://uptime.netcraft.com/up/graph?site=www.microsoft.com

 

During most of last week, my email box fills up with press releases from security companies touting their products' respective abilities to remove, prevent or track these nasty bits of code. Now my inbox is filling up with press releases from companies that claim what did or did not happen to Microsoft's site, or new instances of worms that can remove the Bl*ster series and replace with new more insidious versions that use even more subtle vectors of infection.

 

Are you still with me?

 

So I start digging into the reality of this situation and find that buried in all this information is another weakness that isn't widely publicized. One port that could be a problem is the port used by trivial file transfer, which happens to be port 69 for those of you that keeping track. This port wasn't named by the feds as a target. The worm uses this port to move copies of itself to other machines. This is the port that you need to close off, as our own network administrators found out when someone brought their laptop in from home and infected our corporate network last week.

 

Here are my recommendations of what we have learned from these events. First, if the feds are getting into the habit of issuing security warnings, perhaps they should take the time to actually understand the worms, viruses, and other malware that is running around the Internet. Second, users of Microsoft Windows need to be more careful about maintaining and upgrading their systems. Certainly, I would strongly recommend that home users need to place their machines behind a firewall, especially if they are on broadband always-on connections.

 

Third, if cable and DSL providers are going to routinely block ports on their network, they should also understand why and what breaks as a result (to Cox's credit, they did issue warnings about breaking the Exchange connection. But other ISPs could have done a better job disseminating this information. And the cable companies need to embrace, resell, and recommend firewall routers for home networks to protect their customers, rather than turning a blind eye to home networks or telling their customers that they are prohibited from using such gear. Given that Dlink, Netgear and Linksys all make low-end routers for less than $100 now, there is no excuse not to fully support this gear.

 

Finally, corporate network administrators need to put in place new policies that assume the internal network is no longer composed of trusted machines, and deploy their gear accordingly. There are too many vectors for infection these days: today, everyone is a threat, whether they know it or not.

 

A personal note: I will be at our next Xchange conference next week in Orlando, hope to see some of you there. As part of the conference festivities, I will be assembling with the kind folks at the CRN test center a networked "smart home" on our show floor: it should be fun and I thank all the vendors and integrators that are helping us to pull together the demonstration.

 

 

N.B.  This article served as the source of subsequent coverage and my bylined piece in the New York Times and an appearance on Public Radio's OnPoint program.