Blaster worm and firewall alarms 2

[packdragon]

Hi, I've been receiving an unusual number of NS25 firewall alarms in the form of IP Sweeps. The vast majority of the alarms come from a 206.* IP, the same octet that my domain starts with. Am I correct in assuming this is due to the worm attempting to probe ports randomly in an effort to spread itself? Anyone know?

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[Njetscreamer]

Packdragon,

little more info required on this one.

Firstly is this traffic arriving on you trust interface or unstrusted interface.
Secondly is this a port scan attempt or are you experiencing slow/non existent traffic through the firewall.

You will want to (if this traffic is origination from you internal lan) check the session table (get session) and see what ip the traffic is originating from and what port it is trying to get out on (for blaster it will be 512,1).

Then add a policy to block this traffic (from trust to untrust a.b.c.d ping deny (where a.b.c.d is the client pc causing the problem)) then fix that pc.

If the traffic is arriving on the untrust, you will have to rely on screening and letting as little as possible in.

With regards to blaster, be carefull with any any any policies as they allow a user (in the case of blaster) unwittingly to download it onto their pc. Remember Netscreen devices will permit anything through on a any service as it does not even look at the destination port. Hence nasties like blaster can get into your lan as any traffic or request from an internal source will be permitted.

Hope this helps

 

[packdragon]

Thanks for your detailed answer! Upon rereading my post I do see that I left out some vital pieces of information. This "noisy" traffic is coming from the Untrust zone. The source IPs have the same first octet, but the rest of the IP address is completely different from the one hosted behind the firewall.

I thought Blaster spread by directly spreading itself to open ports? I'm interested to know how it can be transmitted via regular traffic. About the only traffic allowed through is HTTP and HTTPS. And am I correct to assume that patched machines are safe regardless?

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[Njetscreamer]

O.k. if the packets are arriving from outside and hitting your firewall then someone or something is or may be scanning you.

As I remember the blaster worm propagated by RPC. I.e. over a web client it was possible to carry out a RPC (TCP135) and then have explorer crash . Upon restarting it would then initiate a TFTP download (UDP 69) and blaster would be on your system. Blaster then propagates over RPC accross your lan to wherever it can get into. (my apologies if this is not 100% correct propagation method of blaster, I cannot remember all the ins and outs but check out a av site it'll inform you there)

Hence if not needed you would want to deny ping (logging on) and deny outbound everything really except specific ports your users need. This is what I meant by an trust to untrust any any any permit policy it opens all ports outbound so if a internal system is compromised it could feasibly be told to do anything and not have a firewall there to block its progress.

As with regards to the traffic arriving at you untrusted interface, do you have screening options enabled on your untrust zone. If not ENABLE them thats what they are there for. Be carefull of using the active-x and javascript ones though as this could adversely affect your users working environments, e.g. a call logging util may use java or javascript etc....

Also put in a deny all policy from untrust to trust and enable logging this will let you know what ports and from where. Then you can report the abuse to the relevant authority.