Blocking worms

How to block worms by careful port restrictions.

Once again, more than 500,000 users, by Symantec's estimate, failed to follow the trivial steps required to patch their computers. Again and again, these derelicts give hackers the tools they need to create mischief, but it affects us all, not just those who can't be bothered to patch their machines. This failure was the last straw for many companies.

Many organizations have come to the conclusion that fighting worms from the desktop isn't going to work. They have decided to protect themselves in the network as well by installing Access Control Lists on their routers. Unfortunately, these ACLs will spell the end of some user functionality, but that is always the price we pay for security.

The ACLs identify troublesome ports that are frequently abused by virus writers, while at the same time, rarely used by legitimate traffic, especially to the Internet. Examples of some ports that were closed for the msblaster, nachi/welchia worms of the past few weeks are

MS DCOM RPC – TCP and UDP ports 135
MS SMB – TCP 445
MS RPC Ep Map – TCP 593

While some organizations are a little overzealous and blocking this traffic from passing through any router in their network, you should at least consider installing similar ACLs at your Internet gateway. Installing ACLs on routers is safe and effective, but it usually causes a small performance hit. In high-traffic internal networks, this can be a problem. It's rarely a problem on Internet links.

When you install these ACLs, be sure to block OUTBOUND traffic, as well as inbound traffic. The reason is that these worms often have multiple attack vectors. For instance, a user may get the worm from e-mail, then start sending traffic out of your site onto the Internet. Thus, you need to block outbound traffic. This is also why some organizations plan to block these ports at the default gateway of their users so that one infected user can't spread to the rest of the internal organization. But be careful about this strategy, because there are many worms and many ports to block. Make sure you know which ports the legitimate traffic is using.


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in September 2003

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close