Block That Port

Last month, some cretin Out There writes Yet Another Worm called Bl*ster that can infect whole networks at once. That is, whole networks of Windows computers that haven't upgraded their operating systems to incorporate the latest security patches from Microsoft. One of the side features of these infections is a planned denial-of-service attack that was supposed to be launched against Microsoft's WindowsUpdate servers this past weekend.

Like other worms, it propagates via several Internet-based programs. To alert the user community, various authorities issue dire warnings about how to block the culprit and contain its damage, including . One of these includes our federal Department of Homeland Security at the end of July.

Several broadband network administrators took it upon themselves to cut off from inbound access the three ports recommended by the feds -- ports 135, 139, and 445. This breaks several other legitimate applications (including Outlook/Exchange transactions that occur over the public Internet). Several people complain, specifically when they are told the only way to connect to their Exchange servers is to install a VPN, use Outlook Web Access, or upgrade to Exchange 2003 (which isn't yet available).

Meanwhile, Microsoft notices a coding error in the worm and takes measures to protect itself, specifically putting its Web hosts behind the Akamai caching network and repointing the domain name service entry for windowsupdate.com. This protects it from a DOS attack, but has an added side curiosity: Akamai runs on Linux, so Netcraft (the folks who keep track of this stuff) reports that Microsoft is currently running its Web site on IIS on top of Linux.

During most of last week, my e-mail box fills up with press releases from security companies touting their products' respective abilities to remove, prevent or track these nasty bits of code. Now my inbox is filling with press releases from companies that claim what did or did not happen to Microsoft's site, or new instances of worms that can remove the Bl*ster series and replace with new more insidious versions that use even more subtle vectors of infection.

Are you still with me?

So I start digging into the reality of this situation and find that buried in all this information is another weakness that isn't widely publicized. One port that could be a problem is the port used by trivial file transfer, which happens to be port 69 for those of you keeping track. This port wasn't named by the feds as a target. The worm uses this port to move copies of itself to other machines. This is the port that you need to close off, as our own network administrators found out when someone brought his laptop in from home and infected our corporate network last week.

Here are my recommendations of what we have learned from these events. First, if the feds are getting into the habit of issuing security warnings, perhaps they should take the time to actually understand the worms, viruses and other malware that are running around the Internet. Second, users of Microsoft Windows need to be more careful about maintaining and upgrading their systems. Certainly, I would strongly recommend that home users place their machines behind a firewall, especially if they are on broadband always-on connections.

Third, if cable and DSL providers are going to routinely block ports on their network, they should also understand why and what breaks as a result. To Cox's credit, it did issue warnings about breaking the Exchange connection. But other ISPs could have done a better job disseminating this information. And the cable companies need to embrace, resell and recommend firewall routers for home networks to protect their customers, rather than turning a blind eye to home networks or telling their customers that they are prohibited from using such gear. Given that Dlink, Netgear and Linksys all make low-end routers for less than $100 now, there is no excuse not to fully support this gear.

Finally, corporate network administrators need to put in place new policies that assume the internal network is no longer composed of trusted machines, and deploy their gear accordingly. There are too many vectors for infection these days; today, everyone is a threat, whether they know it or not.