Re: Would a firewall prevent Sasser worm?

From: Claudio (Delete_fa1_at_italtrade.net)
Date: 05/04/04


Date: Tue, 04 May 2004 21:50:44 +0200

On Tue, 04 May 2004 18:11:22 GMT, Leythos <void@nowhere.com> wrote:

>I put this back on the ISP's - they provide a open connection and don't
>warn the unsuspecting public about the risk/problems. If they just
>enabled NAT by default on their routers (DSL or Cable) most of this
>problem would go away.

The problem will not go away.
Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
weird solution: I am connected to their router which has NAT enabled.
This it is not a safety choice but a must since behind their router
they use IPs not allocated by APNIC
This looks at first sight a safe approach.
However if i look at the log of MY own hardware router is full of
attempts to reach port 135, 136, 137, 138, 139, 445, etc.
They are from other users like me which are behind the same ISP
router and are all scanning in the range of IPs assigned by the ISP's
DHCP.
Most of this guys are infected by warms, virus, etc. , but they don't
know it. All is needed is one infected computer behind the ISP router
and it will spread the problem pretty fast.

While writing I am checking my router log. Between 21:31 and 21:37 I
see the following attempts (in sequence) : port 445, 135, 445, 135,
445, 445. Roughly one a minute.



Relevant Pages

  • Re: Would a firewall prevent Sasser worm?
    ... >enabled NAT by default on their routers most of this ... I am connected to their router which has NAT enabled. ... They are from other users like me which are behind the same ISP ... All is needed is one infected computer behind the ISP router ...
    (comp.security.misc)
  • Re: Would a firewall prevent Sasser worm?
    ... >enabled NAT by default on their routers most of this ... I am connected to their router which has NAT enabled. ... They are from other users like me which are behind the same ISP ... All is needed is one infected computer behind the ISP router ...
    (alt.computer.security)
  • Re: D-link dsl-504 cant block ports
    ... Have you enabled NAT, DHCP, etc on the router? ... What else did you configure or did not configure on this DSL router? ... thus putting firewall software on the machines does not change the equation. ...
    (alt.computer.security)
  • Re: Unstable connection using a Linksys BEFW11S4 and Netopia 2241N
    ... I enabled NAT on the router and disabled NAT on the modem. ... problems with my past setup. ... the WRT54GS w/speed booster is about the same price as the ...
    (alt.internet.wireless)
  • Re: A Sorry Tale
    ... result I now have a perfectly good ASDL router that will only work on a 10. ... certain Well-Known Trick to make sure it's not actually the ISP. ... system which *does not support DTMF*, so I can't get through the ISP's ... I notice the connection is now back up. ...
    (alt.sysadmin.recovery)