Re: Probes on Port 135 and 445 continue

From: Leythos (
Date: 10/14/04

Date: Wed, 13 Oct 2004 23:05:33 GMT

In article <>,
ibuprofin@painkiller.example.tld says...
> In article <>,
> Leythos wrote:
> >In article <>,
> >ibuprofin@painkiller.example.tld says...
> >As I said before, and many times with this idea, if you need a public IP
> >all you have to do is request it, the default will be NAT.
> You really think that would last more than a day or two? The lusers
> whining "the internet is broken", and tech support trying to explain
> this crap, then offering to provide a public IP. Or do you propose to
> make that a premium feature at a minor extra cost? Yeah, let's see how
> long that one lasts.

I base my assumption on the fact that I've not seem one person, with
kids even, have a problem with a NAT box connected to their cable/dsl
modem to a point that they've even asked about it. Sure, people will
have problems, but I would guess, based on personal experience, that 90%
of all users at the ISP will not experience any problem with anything
they do.

> >I found several state agencies that were running all of their computers
> >on public IP's, in fact, they had a firewall, but it was setup to pass
> >ALL traffic in/out without restrictions - funny way of doing it.
> I think it is fairly well known that a lot of people shouldn't be allowed
> near computers. But how did _you_ convince the state agency that their
> current setup was insane - and then get the bean counters to agree to
> pay for it?

A simple external and internal scan provided documented holes, and
Homeland Defense money provided the ability to fund the change. For most
people the ROI is based on having lived through a outbreak and having
the actual, real, costs documented and then basing the change to prevent
it from happening again. It's not hard to justify costs most of the
time, actually getting the funding is another issue all together.

> You might also want to look at the third article in the Risks-Forum Digest
> for Tuesday 12 October 2004 (Volume 23, Issue 56) which you can find as
> the Usenet newsgroup 'comp.risks'. Colorado DMV disabled for a week with
> a computer virus. If the story (via Denver Post) is correct, "every
> computer in the system" got reinstalled. Whoopie!

Yep, I've seen entire corporate installations take down due to lax
security measures, seen entire plants stop because of a person bringing
in a infection from a FTP server on their home computer.....

> >We converted them to 32 Public IP natted through the firewall, and then
> >4 class C segments using private addresses. Took about a week due to
> >some desktop machines having Fixed IP's.
> Boy, you wouldn't like our setup - we have ALL of our systems on fixed
> IPs, and monitor the IP/MAC relationship for security purposes. The
> monitor is just a perl script talking to the servers and routers grabbing
> their ARP cache every N minutes. We also use a passive O/S fingerprinting
> tool.

It's good that you have a setup, but there really is no need for public
IP's on every device in a network, only the outward facing systems need
them. As for fixed IP's, that's nice, and has it's own set of issues and

> But you failed to answer this one:
> >> How do you propose that they fund the effort
> >> to change all of the un-needed public IPs to RFC1918.

I don't, and don't have to worry about it. Since NAT won't be going away
I don't see a problem.

> It's not as if this effort is cost-free - if it were, you wouldn't be doing
> it. I'm sure there is considerable gnashing of teeth in Colorado right now,
> but how soon do you see that being translated into them instituting proper
> security procedures other than something cosmetic that the PHBs will
> consider adequate. Now, someone should take the "Chainsaw of Enlightenment"
> to the staff - but the chances of that happening are...
> >As a matter of fact, I have done this, and it's not easy. We do it over
> >a weekend and after staging things during the month before it.
> Great - Ohio State University seems to have (at least) three public /16s.
> Ohio U seems to only have one, as does Ohio Northern and Cleveland State.
> How long to convert those six? And that magic question - how do you
> convince the board of regents (or whatever) to spend those bucks.

While OSU has at least three /16's (I'll take your word), I don't see
that it makes any real difference - EDU's were what started all of this
for the most part. They can have a /8 for all I care. Just because they
have a bunch of public IP's doesn't mean that their internal devices are
all using public IP's.

I did a review of a large hospital in LA, more than 800 nodes in the
main building, VLANS, VPN's, etc.... Multiple locations in the city, and
many connections to off-campus sites. Their infrastructure was based on
a private address scheme where only outward facing systems that provided
external services got exposed through the firewalls - there was not a
single public IP being use on any internal system.

I'll stick with blocking the ports until we get secure systems by

(Remove 999 to reply to me)