Posted on .com on Tuesday:

http://www.nthellworld.com/article/?action=show&id=363

This article admits that some home users will be affected but claims that 'legitimate' home use ought to exclude the services likely to be affected. So what exactly is 'legitimate' home use? For years folks have used home phones for business calls. We have used home computers to pick up our email. Now, some people who pick up business email using one of the ports that are to be blocked are to be penalised. This seems unfair.

The thing that is most bothersome however is right towards the bottom of the article:

Ports 1433 (TCP), 1434 (UDP)
Blocking these ports is likely to prevent the use of MS SQL Server and on occasion disrupt normal connections. This disruption is because these ports are above 1024. Ports above 1024 are used occasionally for †˜temporaryâ ۉâ₠¬Ã…¾Ã‚¢ communications e.g. the fetching of web pages. This is not a common practice, but it is worth noting that blocking these 2 ports may cause the (very) occasional †œpage not foundââ‚ƚ¬Ã‚ÂÂÂ� error due to port blocking. In these cases, if a customer tries to load the page again, or visit another site, the connection will work as normal.
So, occasionally even perfectly normal web browsing is going to result in 'page not found' errors.

Thanks, ntl.

Saying that people allready use their phone / internet for business is no defence unfortunatly. We all know lots of people speed when driving, but this does not stop speed cameras.
When you get residential services, that's what you get. If you need business services, you should pay for them.

Having said that, I must question ntl's ham-fisted methods.....The Welchia and Blaster worms spread over port 135, which has already been blocked, but virus writers can make variants of these that spread over other ports, and so ntl are blocking these to reduce the potential danger to our customers

So what if the virus ends up using thousands of different ports? Will ntl block them all one by one, slowly restricting it's customers to only the most limited HTTP and FTP browsing?

Having said that, I must question ntl's ham-fisted methods.....

So what if the virus ends up using thousands of different ports? Will ntl block them all one by one, slowly restricting it's customers to only the most limited HTTP and FTP browsing?

Fair point, but if you were an ISP provider, what would you do to minimise the threat of these virii? :shrug:

I guess I'd try to keep my customers informed of the latest explited ports and link to free port blocking / firewall software.

I'd also provide links to the most popular anti-virus updates.

Mind you, it's all too easy for me to sit here in front of my PC dictating how a company should handle hundreds of thousands, if not millions of customers.
I have been responsible for a network of just 200 or so PC's and keeping AV up-to-date on them was bad enough. The trouble comes with the users. The biggest problem i had was that I would roll out an AV update and people would cancel it when they log on because it's "quicker"!

So in all honesty, I guess I'm not totaly sure what I would do if I were ntl. But as a guess, I'm going for keeping customers informed and walled garden for infected customers.

Fair point, but if you were an ISP provider, what would you do to minimise the threat of these virii? :shrug:

Provide users with antivirus and firewall software.

This port blocking has got to stop. I saw the sense in blocking port 135 to stop the spread of the newest viruses, however I saw it as a temporary measure to allow users time to update their security. Slowly however, by blocking these ports, NTL are restricting the functionality of the Internet for their users. Just saying that these ports are not commonly used is not good enough, the ports are provided for a reason :/

As for the 'you may get page not found errors occasionally', isn't that just normal with NTL DNS :)

Time to head back over to anticap methinks :D

I guess I'd try to keep my customers informed of the latest explited ports and link to free port blocking / firewall software.

I'd also provide links to the most popular anti-virus updates.

Mind you, it's all too easy for me to sit here in front of my PC dictating how a company should handle hundreds of thousands, if not millions of customers.
I have been responsible for a network of just 200 or so PC's and keeping AV up-to-date on them was bad enough. The trouble comes with the users. The biggest problem i had was that I would roll out an AV update and people would cancel it when they log on because it's "quicker"!

So in all honesty, I guess I'm not totaly sure what I would do if I were ntl. But as a guess, I'm going for keeping customers informed and walled garden for infected customers.

I personally think that keeping up to date with recent virus' and port probs etc is down to individual users and M$ themselves!

If my car was found to have a faulty bearing, I wouldn't expect the Council who supply access tot he roads to inform me but the makers of the car and my own research!

Not to say that ntl should wipe there hands of all assistance, but they are at the end of the day a service provider, not an anti-virus company!

I keep my pc up to date with security info and have subscribed to the Trendmicro and Norton newsletters to make sure I am kept abreast of new instances of nasty virus!

hmm - "damned if you do, damned if you don't" springs to mind.:erm:

- If ntl don't block ports there will be those who complain they are doing nothing to help protect their customers. If they do block ports there will be those who complain they are not being provided with a 'full' service.

longer term, education & promoting awareness of the issues, is preferable to port blocking. But, having recently seen my firewall being hit every 10 seconds for weeks on end, there are obviously loads of people out there who have no idea on how to protect themselves.

Short term, without introducing terms and conditions that e.g. insist on customers having a firewall & antivirus before connection, I think port blocking is at least proactive and shouldn't affect the majority of customers - whether it should continue & for how long are other issues.:shrug:

I personally think that keeping up to date with recent virus' and port probs etc is down to individual users and M$ themselves!

If my car was found to have a faulty bearing, I wouldn't expect the Council who supply access tot he roads to inform me but the makers of the car and my own research!

Not to say that ntl should wipe there hands of all assistance, but they are at the end of the day a service provider, not an anti-virus company!

I keep my pc up to date with security info and have subscribed to the Trendmicro and Norton newsletters to make sure I am kept abreast of new instances of nasty virus!

at the risk of being flamed for a pro ntl comment :D i agree with that.

i also use a car similie - if you crash your car, and you werent wearing your seatbelt, its hardly the fault of the car manufacturer you broke your nose is it?
keeping your pc safe is your responsibility.

If ntl were so start supporting firewalls and a/viruses, the next step would be removing the virii....then what about repairing the damage done by the virii? was we are repairing the pc, why not support the customers pc as a whole too..... and on and on and on.

you have to draw a line somewhere. NTL are an ISP - and INTERNET SERVICE PROVIDER. not pc or software supplier. as such, why should we support those too?

I agree, we should make customers aware of the perils of the internet, and thats why we now supply a booklet with new installs (and possibly existing ntl customers, as i got one in the post the other day) - describing firewalls and a/virus programs, why they are needed and best places to look for them. It also gives some basic internet troubleshooting advice

Q. When is an ISP not an ISP ?

A. When it's NTL.

I pay for access to the Internet - all of it - not the parts that NTL think I need. Can I expect a reduction in price now I have a reduction in service ?

I personally think that keeping up to date with recent virus' and port probs etc is down to individual users and M$ themselves!
The problem with that is, the people who havn't bothered / don't know about AV / port blocking slow the whole network down for the rest of us. We then blame the ISP.

If my car was found to have a faulty bearing, I wouldn't expect the Council who supply access tot he roads to inform me but the makers of the car and my own research!
Sorry, crap analogy.
There isn't any one writing scripts to take advantage of anti-theft devices, but manufacturors are making it ever harder to steal cars.

Not to say that ntl should wipe there hands of all assistance, but they are at the end of the day a service provider, not an anti-virus company!

I keep my pc up to date with security info and have subscribed to the Trendmicro and Norton newsletters to make sure I am kept abreast of new instances of nasty virus!
Like I said, I'd make the info and patches / AV updates available to customers and use the walled garden aproach to infected customers.

[Edit] Double post...

at the risk of being flamed for a pro ntl comment :D i agree with that.

i also use a car similie - if you crash your car, and you werent wearing your seatbelt, its hardly the fault of the car manufacturer you broke your nose is it?
keeping your pc safe is your responsibility.



OK, going with the car analogy, We are told we have to wear seatbelts. There is a penalty if we dont.

We should be told about AV / Port blocking by the ISP and they should be able to "walled garden" the people who don't bother.

We should be told about AV / Port blocking by the ISP and they should be able to "walled garden" the people who don't bother.

NTL ARE telling people about the port blocking - ok, in the process of blocking them i admit - but to be honest, how many people are going to have the faintest idea what they are on about?

And they ARE putting customers in a walled garden if they are suspected of having a virus - thats been going on for a few weeks now :)

Don't get me wrong, I don't blame NTL for all of the virii going around, the fault lies solely with the virus writers.

To continue with the car analogy, we licence people to drive cars and people first have to demonstrate an understanding of the car before they are allowed out on the road.

In the not-so-distant past, peoples computer knowledge didn't matter so much as their computers were mostly stand-alone machines. Now we have a huge connected network where peoples use of the their computers affect other people (liken to a car being driven in an empty field and a car being driven on a busy road). I think there is a case for people having to pass a computer 'driving' test before being allowed loose on the 'net.

Education is the only solution to the problem, port blocking is a temporary fix at best.

NTL ARE telling people about the port blocking - ok, in the process of blocking them i admit - but to be honest, how many people are going to have the faintest idea what they are on about?

And they ARE putting customers in a walled garden if they are suspected of having a virus - thats been going on for a few weeks now :)

I know... I was re-iterating an earlyer post ;)

I think there is a case for people having to pass a computer 'driving' test before being allowed loose on the 'net.

Education is the only solution to the problem, port blocking is a temporary fix at best.

Outside of work this is the first time I have heard someone actually admit to this. Not stating that you are uneducated in computers :rofl:

I agree 100% that too many people these days are buying internet ready pc's and don't have the faintest idea what it entails!

Many of them do not even know where the Address bas is, relying on the search bar to get around with. These people, though not stupid in any way, are just not prepared for what the other, less friendly people on the internet have to throw at them!

I think that ntl sending out a booklet with every install will never happen purely down to the costs of printing hundreds of thousands of them when many of the users probably will never even read them! Maybe a link on the reg pointing to a site that gives basic info on what to expect (even if it is not on Ntl server) would help but then again, how many people are actually gonna use it?

Getting everyone to take an interest in what to expect is a pipe dream at best....people want the internet coz it is the 'in thing' and for a quick fix...nothing more and many people seem to live with the idea that "It'll never happen to me" which sadly is no longer the case!

Outside of work this is the first time I have heard someone actually admit to this. Not stating that you are uneducated in computers :rofl:


I should hope I'm educated by now, if not I'll be in trouble when I reach my finals at the end of the semester :spin:

I should hope I'm educated by now, if not I'll be in trouble when I reach my finals at the end of the semester :spin:

:LOL: Good luck with them matey! :Peace:

I personally think the best way to aproach this problem, is for NTL to place a virus protector on their side, so that all downloads are virus free! That way if a virus is detected, it would get bashed on the head before the unsuspecting public get the hassles. Surely that would be far easier than blocking ports and having to try and educate some of the 'know it all's' there are around, who think they are not ever likely to be infected and refuse point blank to have any virus/firewall on their computer. A lot of computer suppliers are now making sure they are sold with it anyway.(if they are reputable that is.)

I personally think the best way to aproach this problem, is for NTL to place a virus protector on their side, so that all downloads are virus free! That way if a virus is detected, it would get bashed on the head before the unsuspecting public get the hassles. Surely that would be far easier than blocking ports and having to try and educate some of the 'know it all's' there are around, who think they are not ever likely to be infected and refuse point blank to have any virus/firewall on their computer. A lot of computer suppliers are now making sure they are sold with it anyway.(if they are reputable that is.)

would this be financially viable?because i suspect it would just put up costs.as a customer who has got av and a firewall that i have paid for i don't see why costs should go up because there are those that won't listen to reason.

incog. :kiss:

I don't have a major problem with blocking the microsoft networking related ports (135, 137, 445 etc.) but question blocking ports above 1024. I don't think many home users run MS SQL, so why is this considered a risk. The other port mentioned in NTLs news item appears to relate to a port used by trojan software. Since trojans can be written to use any port, surely this approach will result in an increasing level of denial of service to customers as more ports are blocked.

Alan :(

I do have a problem with these ports being blocked, some games run on ports above 1024, does this mean that i won't be able to have a game of good ol Delta Force????

NTL dont seem to get it trough their heads :knock:

§talk

That particular trojan (Sub seven) is quite old now and I think newer versions of it use different ports.
I see very few instances of that port turning up in my firewall logs now (on my non NTL servers).

Q. When is an ISP not an ISP ?

A. When it's NTL.

I pay for access to the Internet - all of it - not the parts that NTL think I need. Can I expect a reduction in price now I have a reduction in service ?
I hardly call a reduction on the amount of network cruft in my firewall logs from other customers who are too damned lazy to install antivirus progs/keep their OS uptodate a reduction in service.

Exactly what reduction in service have you noticed ?

I hardly call a reduction on the amount of network cruft in my firewall logs from other customers who are too damned lazy to install antivirus progs/keep their OS uptodate a reduction in service.

Exactly what reduction in service have you noticed ?

The number of available ports has been reduced, ergo, the available service has been reduced. To ask whethe anyone has 'noticed' is to obscure the issue. The service has been reduced, whether I am aware of it or not.

But, for what it's worth, I will notice it when, due to NTL blocking ports above 1024, I get the occasional "page not found" error. And if I ever sign up for distance learning and expect to connect to the university systems using any of the methods now disbarred by NTL (note, this is still a legitimate residential use), I would sure as eggs is eggs notice it.

Even NTL has acknowledged that some customers will be affected, fraz, you really don't have to try to fight the battle for them.

The number of available ports has been reduced, ergo, the available service has been reduced. To ask whethe anyone has 'noticed' is to obscure the issue. The service has been reduced, whether I am aware of it or not.

But, for what it's worth, I will notice it when, due to NTL blocking ports above 1024, I get the occasional "page not found" error. And if I ever sign up for distance learning and expect to connect to the university systems using any of the methods now disbarred by NTL (note, this is still a legitimate residential use), I would sure as eggs is eggs notice it.

Even NTL has acknowledged that some customers will be affected, fraz, you really don't have to try to fight the battle for them.

Can I just point out that if you trawl back through the last 5/6 years worth of my online activities I've never been a particualrly big fan of Net Nanny ISPs however quick reality check:

The number of internet users now online that simply buy their PC and expect to use it in the same manner as they use a Microwave (or any other item of white goods) now far exceeds the number of enthusiasts using the net. ISPs (& I'm not singling out NTL) are changing the way that they provide a product to their customers and Blaster/Welchia gave all ISPs a short sharp shock.

ISPs (& I'm not singling out NTL) are changing the way that they provide a product to their customers and Blaster/Welchia gave all ISPs a short sharp shock.

I agree there is a problem & that blocking the microsoft networking ports will block a popular route of infection. I feel this is a reasonable compromise.

On the other hand blocking ports above 1024 is only effective as a short term solution as virus writers are likely to write future trojans to use ports that aren't blocked by major ISP. Hence this becomes an arms race, with more & more ports becoming blocked.

I an wondering what happens when I buy software over the internet, which allows only 2 or 3 download attempts. Normal FTP could fail & if a second attempt also gets a blocked port, it is possible that it could be difficult to recover the situation. I am unsure how ports are allocated, but if it is based on cyclicly searching for the next free port starting from the last allocated port, then blocking port ranges could be a problem. Anyone know if this is actually likely to happen.

Lastly, it occurs to me that it would be possible to write a trojan that hops ports on a time basis (just like frequency hopping on older secure radio links). Provided the time between hops is fairly long and the victim's PC's clock is set correctly, then the virus writer would have no difficulty determining the open port at any time. And what about the approaches taken by peer-to-peer networking software. I don't know how those work, but I have heard that port blocking is ineffective on those due to non-fixed port usage. So I say again, port blocking above 1024 is an unwinable approach and can at best be considered a temporary measure.

To end on a more pleasant note, I would like to reiterate that blocking 135, 137, 139 & 445 seems a good idea to me. Well done NTL.

Alan :banghead:

To end on a more pleasant note, I would like to reiterate that blocking 135, 137, 139 & 445 seems a good idea to me. Well done NTL.

absolutely - but it isn't "the end" of those exploits, I had a look at my router log, just now and still got a 445 probe two minutes ago. - local of course, but people should still beware - imo.

I don't have a major problem with blocking the microsoft networking related ports (135, 137, 445 etc.) but question blocking ports above 1024. I don't think many home users run MS SQL, so why is this considered a risk.

Exactly.

I expect the real problem the sql & subseven ports this solve is the number of Mr Angry e-mails abuse get about PFW entries. That NTL are prepared to randomly break customer applications for that is appalling.

If they really must block these ports why couldn't or wouldn't NTL use stateful filtering i.e. just stop inbound SYNs?

Router performance? I hope so because at least that implies a limit to how much they can break.

Exactly what reduction in service have you noticed ?
If they block ALL 139, 445 then I will lose the ability to connect to my remote computer shares, that is a big loss of service to me.

If they block ALL 139, 445 then I will lose the ability to connect to my remote computer shares, that is a big loss of service to me.

Not being funny but how many people 'knowingly' use Windows File & Printer Sharing over a public network (your internal network wont be affected by the blocking) especially when there are more secure alternatives such as FTP or SCP for transferring files etc across the internet.

Not being funny but how many people 'knowingly' use Windows File & Printer Sharing over a public network (your internal network wont be affected by the blocking) especially when there are more secure alternatives such as FTP or SCP for transferring files etc across the internet.

I expect there are only a few people affected, as NTL's FAQs say, but now you are shifting the debate away from the point you tried (unsuccessfully as it happens) to make earlier.

Originally you asked, 'have you even noticed?' Pem's answer to that is clearly 'yes'. You can't just go changing the question when your original point proves wobbly.

I expect there are only a few people affected, as NTL's FAQs say, but now you are shifting the debate away from the point you tried (unsuccessfully as it happens) to make earlier.

Originally you asked, 'have you even noticed?' Pem's answer to that is clearly 'yes'. You can't just go changing the question when your original point proves wobbly.
Pem hasn't actually clarified whether he is talking about access via the internet or via an internal LAN.

If its the former then there are better alternatives available , if its the latter then he's not affected.

Not being funny but how many people 'knowingly' use Windows File & Printer Sharing over a public network (your internal network wont be affected by the blocking) especially when there are more secure alternatives such as FTP or SCP for transferring files etc across the internet.:LOL: - You think FTP is more secure than Windows File Sharing, I hope you don't work for NTL Technical Support ;)
To clear up any mis-understanding, Yes I am referring to connecting to other machines over the Internet, not on an internal Lan.
How I connect to them it is my choice, they are all windows machines and the data is not confidential in any manner, windows file sharing is the easyest method and has served my well for 5+ years thank you.

:LOL: - You think FTP is more secure than Windows File Sharing, I hope you don't work for NTL Technical Support ;)
To clear up any mis-understanding, Yes I am referring to connecting to other machines over the Internet, not on an internal Lan.
How I connect to them it is my choice, they are all windows machines and the data is not confidential in any manner, windows file sharing is the easyest method and has served my well for 5+ years thank you.

It all depends on how well set up the server is :) Personally I use SCP to transfer files rather than FTP but that's a different story.

It appears that you may well be on of the unfortunate small number who may be affected although there are many ISPs (certainly Zen does, Telewest did for a while, not sure about BT and in the US it's becoming more common place) now that are blocking Netbios on the public network and indeed it is something which I believe Microsoft themselves have advised ISPs to do.

If they block ALL 139, 445 then I will lose the ability to connect to my remote computer shares, that is a big loss of service to me.If you can, use a tunnelled connection into your computer.

ATM - the evidence would seem to suggest thay have used a bit of common sense and only blocked incoming connection requests on the offending ports - i.e. I can still connect to my servers but my firewall logs suggest that incoming traffic on those ports has been blocked.

ATM - the evidence would seem to suggest thay have used a bit of common sense and only blocked incoming connection requests on the offending ports - i.e. I can still connect to my servers but my firewall logs suggest that incoming traffic on those ports has been blocked.As long as the reply ports are not blocked and only unsolicited/unexpected inbound connections to blocked ports are dropped.

sorry if this has already been asked/answered, but I couldn't see it anywhere.
so if ntl are blocking ports are they going to post a list of which ports are blocked, so people can work around the problem. does anybody know what ports are blocked?
is there any way to find out which ones are blocked?

thanks

Well the original article we were discussing was posted on .com so it's inaccessible now :rolleyes:

I just tried to look on community but that seems dead again as well :confused:

sorry if this has already been asked/answered, but I couldn't see it anywhere.
so if ntl are blocking ports are they going to post a list of which ports are blocked, so people can work around the problem. does anybody know what ports are blocked?
is there any way to find out which ones are blocked?

thanks

hi trebor

totally from memory so I may be wrong, but I think it is ports 135. 137, 139, 445 & any over 1200.

would that explain why online games have started having problems. e.g ut2k3 uses ports 7777, 7778, 7787, 7788, 28900, 28902

hi trebor

totally from memory so I may be wrong, but I think it is ports 135. 137, 139, 445 & any over 1200.
I can assure you it is not anything over 1200 !! That would stop thousands of applicaions working.

As I recall it was 135, 137, 138, 139, 445, 1433, 1434 & port in the 27xxx range that sub seven uses (can't remember it exactly).

would that explain why online games have started having problems. e.g ut2k3 uses ports 7777, 7778, 7787, 7788, 28900, 28902You could try using a SOCKS proxy, if one could be found.

I can assure you it is not anything over 1200 !! That would stop thousands of applicaions working.

As I recall it was 135, 137, 138, 139, 445, 1433, 1434 & port in the 27xxx range that sub seven uses (can't remember it exactly).

thanks pem - said I might be wrong, :dunce: :)

Here is an RFC:

NTL could do with blocking inbound connections to port 17300. It seems the hackers are trying to get their revenge. My router is recording quite an increase in connection attempts to TCP port 17300 from various IP addresses.

The problem is that port blocking is not really an answer. There will come a point where so many ports will be blocked that it will be becoming impossible to use the Internet.

I was rediculed for the suggestions some months ago, but really NTL should upgrade their UBR's or firewalls so the customer has some basic contol over what can connect to his/her equipment.

By default every inbound port should be blocked. This would not be a problem because reply ports will not be blocked. Routers already so this and have been doing this for years. Un-educated users, I think, would not touch these options. 'cos they don't know how it all works.

The customer would be given three simple options that can be changed at any time.

Option 1: Block all inbound connections, unless to a reply port.
Option 2: Block all inbound connections selected by NTL.
Option 3: Block all inbound connections only for ports 135, 137, 139 and 445.

Any customer that would select option 3 would automatically be put on NTL's watch list so any suspicious traffic would be looked by at NTL's network operations centre and appropriate action taken.

Just three simple filter sets that can be defined network wide and each customer could choose only one of them. You would not want to allow the customer to define their own filter sets as then it will be totally unmanagable and the memory and processing power of the router might now be enough.

The option suggested here would work as it already implemented as option 3 in the suggestion above.

thanks pem - said I might be wrong, :dunce: :)
LOL, you were close, just that tiny (kill everything !) error :D


Edit: FFS why can't every forum have the same smilies ... Grrrrrrr ......

PS: Note the bit that the customer is able to select any of the options at any time, changed as many times as required.

The majority of the people who buy a computer from the likes of Tiny or PC World do not have a clue so for those the default of `block all inbound` will work. For us educated lot, we will know how to open up inbound ports.

For the newbies that become educated, they will also be a able to open up inbound ports.

The method would work. For sure port 135 is now a totally lost cause so that one may as well be blocked until the end of time. Only thing is that NTL have blocked UDP port 135 in both directions and TCP port 135 inbound only.

My suggestion only relates to inbound connections and excludes reply ports.

I can assure you it is not anything over 1200 !! That would stop thousands of applicaions working.

As I recall it was 135, 137, 138, 139, 445, 1433, 1434 & port in the 27xxx range that sub seven uses (can't remember it exactly).


port 1433 Microsoft SQL Server
port 1434 Microsoft SQL Monitor

this may cause some problems

NTL posted this document some weeks ago,

http://www.ntlworld.com/tunnel.php?task=portBlocking

You can navigate to it from the

---> help index
---> Important virus information Advice for Microsoft XP/NT/2000 users
---> ntl:home take new measures to protect against worms

From the above NTL document:

We are blocking Internet ports 137 (UDP), 138 (UDP), 139 (TCP), 445 (UDP & TCP), 593 (TCP), 1433 (TCP), 1434 (UDP) and 27374 (TCP) Inbound only.

NTL may also be blocking other ports e.g. 4662 used by emule file sharing.

The sub 1023 ports I generally agree with, but the high ports are causing me issues already, with lost connections.

I'm tempted to PAT the listed high ports to a nul address on my firewall router, to prevent them being used as an outbound source. though this could quickly get out of hand if NTL keep blocking more ports. Also considering the range 1024 - 5000, since I have no inbound services on these addresses (only one rule as well).

Time to do another port scan on my firewall I think, and look for the missing hits.

I have never come across anything that uses TCP593.

I have never come across anything that uses TCP593.

It another port that has the Micro$oft DCOM vulnerabilities, all of the (well-known) Microsoft RPC ports are :

Port 135 (tcp/udp)
Port 137 (udp)
Port 138 (udp)
Port 139 (tcp)
Port 445 (tcp/udp)
Port 593 (tcp)

Basically the following formula applies:

(NT4 or W2K or XP or W2K3) and no patch and no firewall = pant's down

For the more anorak explanation try

http://www.hkcert.org/salert/english/s030911_win_rpcss.html

NTL posted this document some weeks ago,

http://www.ntlworld.com/tunnel.php?task=portBlocking

You can navigate to it from the

---> help index
---> Important virus information Advice for Microsoft XP/NT/2000 users
---> ntl:home take new measures to protect against worms

From the above NTL document:

We are blocking Internet ports 137 (UDP), 138 (UDP), 139 (TCP), 445 (UDP & TCP), 593 (TCP), 1433 (TCP), 1434 (UDP) and 27374 (TCP) Inbound only.

NTL may also be blocking other ports e.g. 4662 used by emule file sharing.

The sub 1023 ports I generally agree with, but the high ports are causing me issues already, with lost connections.

I'm tempted to PAT the listed high ports to a nul address on my firewall router, to prevent them being used as an outbound source. though this could quickly get out of hand if NTL keep blocking more ports. Also considering the range 1024 - 5000, since I have no inbound services on these addresses (only one rule as well).

Time to do another port scan on my firewall I think, and look for the missing hits.

Actually, ports 1433 (TCP) and 1434 (UDP) are not going to cause a problem for Windows XP equipped computers. Because ......

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters
ReservedPorts=REG_MULTI_SZ:1433-1434

Only problem at the moment will be if anything legitimate wants to use ephemeral port 27374 (TCP). I wonder if it is allowable to amend the above key value from 1433-1434 to 1433-1434,27374?

Or are the values specified on a separate line?

See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;812873
http://support.microsoft.com/default.aspx?scid=kb;en-us;196271
http://www.jsiinc.com/SUBO/tip7000/rh7082.htm

I'm going to try setting the value of this ReservedPorts key to following ....

1433-1434
27374-27374
17300-17300

It's either going to work, or I'll be quickly changing it back to just 1433-1434.

Unless you have modified your system then it will not attempt to use 17300 or 27374 anyway since they are above the default maximum of 5000.

AFAIK you can only have one range in the reserved ports value so use 1433 - 1434.

Just tried it and the ports I nominated to be reserved were not used as ephemeral ports. That'll do me. This is with Windows XP SP-1.

Just tried it and the ports I nominated to be reserved were not used as ephemeral ports. That'll do me. This is with Windows XP SP-1.
Sorry but your answer is not clear to me - did you mean it *does* works with mutiple ranges on XP ?

Sorry but your answer is not clear to me - did you mean it *does* works with mutiple ranges on XP ?Yes, I do mean that you can define multiple ranges. Here is how you can test it for yourself.

Set the value of the ReservedPorts registry key to
1433-1434
3010-3050

Then restart the computer and as soon as you get the desktop open a DOS command prompt and pre-type the command `netstat`.

Start the browser, so to a web site. I used www.bbc.co.uk (http://www.bbc.co.uk/).

In the case of Windows XP the port allocation starts from 3000 and not 1024.

Here is the result I got as provided by the NETSTAT command ...

3008
3051
3052
3056
3058
3059
3062
3063
etc....

Notice that no ports were allocated between and including 3010 to 3050.

It's always a good idea to prove that the theory is fact and that's a habit I got. Seems with Windows XP and quite possibly other versions of Windows, it is possible to exclude the use of the ports that NTL are blocking.

Wish NTL would be more helpful with this issue, but it's guru's like me that have to discover these sort of useful pieces of information.

I thought about reserving ports, but would need to do it on my router (linksys) which does not have this facility. Annoying isn't it. (And unneccessary)

I've just now reported this issue to LinkSys. Will LinkSys act on the information given? Anyones guess.......

We could take bets, maybe?

I've just now reported this issue to LinkSys. Will LinkSys act on the information given? Anyones guess.......

We could take bets, maybe?

Probably not, but then is it LinkSys's responsibility to make it possible to work around NTL's bad practice? Understandibly P2P services cause problems for ISPs, but there are 65535 ports out there, if they block a handful, they'll just be reconfigured to work on a different ports. Eventually NTL's approach would have to be to block ALL ports, at which time it'd become impossible to use their services (not that it's ever that possible to get much use out of them anyway, but never mind), at which point they couldn't operate as an ISP anyway :)

--
Chris / Noodle (chris@woaf.net)

Ah, here is the best bit. A very polite note stating the issue that ISP's are blocking ports and that the firmware in all of their routers will be affected by this issue.

Now, I wonder what would happen if enough people would run into this problem and report the same shortcoming of their router? As in having the ability to reserve ports so the router would not use the reserved ports as response ports? (NUDGE, WINK, HINT, SLAP, etc....)

I suppose one person bringing up the issue would not trigger a response from LinkSys but should enough people experience problems using the Internet because of this issue then maybe LinkSys's software engineers will put in an option to allow the owner of the router to reserve inbound ports? Well, techincally not reserve, but an exclusion list.

:angel:

Personally I think NTL should have an Opt-in principle as regards port blocking...
if you WANT them to port block, then they will, but you should also be able to opt for them NOT to block ports

Ah, here is the best bit. A very polite note stating the issue that ISP's are blocking ports and that the firmware in all of their routers will be affected by this issue.

.....maybe LinkSys's software engineers will put in an option to allow the owner of the router to reserve inbound ports? Well, techincally not reserve, but an exclusion list.

:angel:

Such a good idea, that I emailed it to Linksys on the 8th of November (2003).

Not heard a thing back though.

One thing I mentioned, which would have a similar effect in an earlier post would be to forward the blocked ports to a nul address, stopping them being used to create outbound connections. Big downside is it makes these ports look apparently open, plus there are only ten rules in total, for people (like me) with email and web servers, don't have a lot to play with.

But back to your suggestion, if all the Linksys users email then maybe there would be more joy...

Such a good idea, that I emailed it to Linksys on the 8th of November (2003).

Not heard a thing back though.

One thing I mentioned, which would have a similar effect in an earlier post would be to forward the blocked ports to a nul address, stopping them being used to create outbound connections. Big downside is it makes these ports look apparently open, plus there are only ten rules in total, for people (like me) with email and web servers, don't have a lot to play with.

But back to your suggestion, if all the Linksys users email then maybe there would be more joy...

Interesting thought on the port forwarding. It seems likely that the implementation forwards all packets received on the port, which suggests that it must also be reserved as an outgoing port. If the ports are forwarded to an IP address on the internal network that is not used, then surely the result is the same as dropping unaccepted packets, which is part of what happens when 'Block WAN Request' is enabled (i think).



BLOCK WAN REQUEST: This feature is designed to prevent users from attacking your network through the internet. When Block WAN Request is enabled, the Router will drop both the unaccepted TCP request and ICMP packets from WAN site. The hacker will not find the Router by pinging the WAN IP address. Select ''Enable'' to enable this feature.


Thus using the forwarding feature does look promising as a workaround.

After more research it appears that early versions of linksys firmware do not in fact reserve the ports. So unless this has been fixed in later firmware versions, the port forwarding technique won't work.

See bug report: http://www.dslreports.com/faq/4808

I've forwarded ports 1024-5000 to nowhere & things are still working. Maybe the bugs fixed, or maybe the router hasn't cycled round to that part of the range yet. I can't see anything specific in linksys's firmware revision history about fixing this bug.

I suppose i could try forwarding a much bigger range to see if things fall over then.

[edit now forwarding 1024 - 65000 - this only leaves about 500 ports available - & we're still going - maybe the bugs fixed in later firmware - I'm using 1.44.2]

Any thoughts anyone?

[edit - or even better... Experiment with port forwarding on your router & report back on whether using a large range blocks internet access & the firmware version number]

Alan

Can you just clarify for me - the port forwarding you mention is for incoming traffic, not outgoing ?

Can you just clarify for me - the port forwarding you mention is for incoming traffic, not outgoing ?

Yes it's the incoming port forwarding. The concept proposed by Karl earlier in the thread is that the router should reserve any outgoing ports which are subject to redirection incoming. This is because if router uses such a port as an outgoing port, then incoming packets would be incorrectly forwarded.

However there appears to be a bug in linksys s/w release 1.39 in that the forwarded ports are not reserved. However I cannot duplicate the problem with s/w release 1.44.2, so perhaps this is fixed.

It would be nice to reserve the ports NTL has blocked, but I am hoping for some second opinions on this before getting my hopes up too much.

[edit i have now forwarded the entire range 1024 - 65535 and still have internet access - somehow i don't think the linksys is reserving any ports - perhaps the NAT table takes priority over the forwarding table - i.e. It looks like this isn't working ]

Alan

Right, I agree it would (should) do this on forwarded ports unless it uses internal state information to remember what IP's it has made outgoing connections to [on the forwarded ports] and uses this information to bypass the forwarding when getting packets back.

This is not uncommon in more expensive firewall / Nat software.

Right, I agree it would (should) do this on forwarded ports unless it uses internal state information to remember what IP's it has made outgoing connections to [on the forwarded ports] and uses this information to bypass the forwarding when getting packets back.

This is not uncommon in more expensive firewall / Nat software.

I think you are right - Oh well it was worth a try.