Re: Would a firewall prevent Sasser worm?

From: Claudio (Delete_fa1_at_italtrade.net)
Date: 05/04/04


Date: Tue, 04 May 2004 21:50:44 +0200

On Tue, 04 May 2004 18:11:22 GMT, Leythos <void@nowhere.com> wrote:

>I put this back on the ISP's - they provide a open connection and don't
>warn the unsuspecting public about the risk/problems. If they just
>enabled NAT by default on their routers (DSL or Cable) most of this
>problem would go away.

The problem will not go away.
Look at my case. My ISP (FastWeb in Itay) has implemented a somewhat
weird solution: I am connected to their router which has NAT enabled.
This it is not a safety choice but a must since behind their router
they use IPs not allocated by APNIC
This looks at first sight a safe approach.
However if i look at the log of MY own hardware router is full of
attempts to reach port 135, 136, 137, 138, 139, 445, etc.
They are from other users like me which are behind the same ISP
router and are all scanning in the range of IPs assigned by the ISP's
DHCP.
Most of this guys are infected by warms, virus, etc. , but they don't
know it. All is needed is one infected computer behind the ISP router
and it will spread the problem pretty fast.

While writing I am checking my router log. Between 21:31 and 21:37 I
see the following attempts (in sequence) : port 445, 135, 445, 135,
445, 445. Roughly one a minute.