[Full-disclosure] Re: Quarantine your infected users spreading malware

On Monday 20 February 2006 22:40, Gadi Evron wrote:

Some who are user/broadband ISP's (not say, tier-1 and tier-2's who
would be against it: "don't be the Internet's Firewall") are blocking
ports such as 139 and 445 for a long time now, successfully preventing
many of their users from becoming infected. This is also an excellent
first step for responding to relevant outbreaks and halting their
progress.

Philosophy aside, it works. It stops infections. Period.

Umm.. sorry, but it doesn't. :-)

While blocking ports 139 and 445 does help in reducing the number of infections, it doesn't stop them. We have here mostly user-friendly ISP's that offer antivirus and antispam protection along with blocking ports (turned on by default, and people don't know they can change that), but that just reduced the speed of spreading and gave some more protection to users, but people here still get infected, despite antivirus and port blocking.
Antivirus software can't cope with brand new virus/worm/malware until it is detected and signature is distributed, so there's always a small chance you might get another e-mail that passed the checkpoints. And users are... umm... (searches google for polite variations of "idiot") ... gullible - they will just click on that "free sex" icon.

The other part of the problem is that ISP's (in my country, at least) usually do not offer such services for their lease-line customers, or they charge them pretty penny for such services. Users on leased lines are up to their own defences, which in many cases mean they have little to no defences.

--
Radoslav Dejanovi?
Operacijski sustavi d.o.o.
http://www.opsus.hr_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Firewalls and ephemeral ports
    ... > firewall is seeing ACK's coming back toward us with the same destination ... > address, but different sending port numbers, and is blocking them. ... UDP or TCP? ... >> ephemeral ports. ...
    (microsoft.public.win32.programmer.networks)
  • Re: Blocking Instant Messengers
    ... Search google for "msn aim tcp port block" Blocking the necessary ports ... on our domain used by internal clients to access the internet, ... Actually, if you're asking this question, I'm assuming your firewall may not ...
    (comp.security.firewalls)
  • Re: Being Hacked - How can I determine who and how?
    ... > Alessandro.....Thank you for your prompt response. ... > firewall, but at this point I'm not blocking any ports ... but if you are not blocking any ports then you ...
    (microsoft.public.security)
  • Re: Being Hacked - How can I determine who and how?
    ... > Alessandro.....Thank you for your prompt response. ... > firewall, but at this point I'm not blocking any ports ... but if you are not blocking any ports then you ...
    (microsoft.public.win2000.security)
  • Re: Blocking IP addresses?
    ... Go to Advanced|Filters in the Linksys BEFSR41. ... > specified range of ports. ... >> If you want to do IP blocking, you need a firewall in addition ... >>to the router's firewall. ...
    (comp.security.firewalls)
Quantcast