Port blocking
 

Can anyone confirm or deny if ntl are blocking the following ports

34518 and 34519 both on UDP

I called them Yesterday and was told that they are not blocking them but I am having loads of trouble with an app that uses them and have been informed on another forum that they are being blocked.

I would have asked on nthellworld.com but ntl seem to have killed it?

Thx.

--
rmg.

Re: Port blocking
 

Sorry m8 we are not blocking these ports

Re: Port blocking
 

what is the app? what setup do you have? ( i.e. directly connected, router, ICS anything like that? ) any kind of firewall?

Re: Port blocking
 

Hi, thanks for the confirm.

The app I am trying to run is called Xlink. It is a tunelling app for xbox that allows you to play system link games over the internet.

I am running through a router but have tried opening these ports and have even put the PC in the DMZ but still no luck.

The relevant threads are here

http://forums.xbox-scene.com/index.p...f=46&t=124238&

and here

http://forums.xbox-scene.com/index.p...f=46&t=134021&

Sounds like they are wrong tho?

--
rmg.

Re: Port blocking
 

as i understand it, the only ports being blocked are those associated with viruses and security vulns...
and as far as the argument about 'making people pay for the gaming service'... if that was the case they would be blocking the XBox LIVE ports, not just the XBConnect type ones. If they are blocking them, the only reason i could think is because of the amount of data sent for things like XBC and XLink ( as in they are 'pretending' to the XBox that they are a 10Mb network, the xbox will chuck out loads of data )

have you looked in your router logs to check whether the PC is actually attempting to connect out? it may not be getting as far as the router.

Re: Port blocking
 

You should try our xbox forum instead ;)

Re: Port blocking
 

is there a thread in there I can look at?

Re: Port blocking
 

That's nothing more than a guess on the part of whoever told you, it's not correct.

Re: Port blocking
 

an update on the blocked ports.....

Re: Port blocking
 

taken fron Nexus :nono:

Re: Port blocking
 

and ? atleast hes informative instead of 'we dont block any other ports' even though new ones have been added to the block list :Peace: :rolleyes:

Re: Port blocking
 

so? they are blocked ports. if a customer called up and said "i cant use port 138", what are we supposed to do? lie and say thats nothing to do with ntl???
:shrug:

yes thats from nexus, but its accurate, to the point and relevant, so why waste time rewriting it?

Re: Port blocking
 

What new ones ?

That looks like the original list (in fact, I believe they are blocking port 135 as well which is missing from that list).

Re: Port blocking
 

i was not aware of 27373 being blocked

Re: Port blocking
 

Here is something that might be of slight interest. For anyone that's got a LinkSys router. I had a conflab with LinkSys recently and in the next firmware release for LinkSys routers there may be a workaround for blocked inbound ports. The ones that are uses as reply ports.

I beleive that there will be a facility where the user will be able to tell the router what short-term inbound reply ports not to use. Question is, when eill the next firmware update be made available.

Oh well.

Re: Port blocking
 

I still say you should be able to opt out of the port blocking.

it's one thing for NTL to set up a "virtual firewall" for some users to prevent virii but to then force all users into their server side firewall will only alienate some users.

I guess it is a fallback idea from Bill "too tech" Goodland or Aizad "our users don't want 2 Mbit" Hussein.

NTL should actually launch a survey online at their site, or send one out with the BB Bills to find out what the customers DO want.

Re: Port blocking
 

I think the problem is that at the moment they cant block ports on a user by user basis, its all or nothing.

Re: Port blocking
 

Well if as much effort went into blocking spam, i'd be a happier person. ;)

Re: Port blocking
 

After a couple of weeks without any of the several hundred port 135 scans per day, I have just had 9 in the past few minutes, 50% from Ntl customers. Has port 135 blocking been switched off?

EDIT....OMG. it is as bad as ever, dozens of scans racked up now. at least ten from different customers of the same French ISP.:(

Re: Port blocking
 

Doesn't appear to have been, I'm not getting any scans on that port.

Re: Port blocking
 

No scans here either... hang on I'm behind a router LOL Ooops ;) Nothing in my router logs though. Might just be someone in France thats infected with a virus again.

Re: Port blocking
 

They should still be blocked though. I have had no 135 scans for weeks now then suddenly in the past hour, loads of them.

Re: Port blocking
 

Which French ISP is it Iadom?
According to
http://www.ntlworld.com/tunnel.php?task=portBlocking
its blocked ??

Re: Port blocking
 

See jpeg in previous post. As usual most are from Ntl users, but a significant number are from. Tele2/Swipenet.

Re: Port blocking
 

Wonder if your section of the network is not configured correctly Iadom, maybe NTL have left that port open to keep you amused;) Have you tried ringing CS to see why that port is active still?

Re: Port blocking
 

It does seem strange, as I said I have had no scans on 135 at all since Ntl blocked it, since I booted up just over an hour ago I am up to over 70 now in that time. I know that my firewall keeps me safe, unless anyone else from the N/West reports similar findings I will keep an eye on it before contacting CS.
Perhaps someone is out to get me.;)

Re: Port blocking
 

Just got back in from work, booted up and got 10 hits in first minute to port 135. Is anyone else in this area getting port 135 scans.???? Surely Ntl can't have turned of port blocking just to little old me.:confused:

Wow, now over 40 in five minutes, mainly Ntl users,just phoned CS and they are not aware of any problems and as far as they know port 135 is being blocked.

Re: Port blocking
 

Just a thought but could be that the source is on the local area and so you get hit before it reaches the point NTL block the port maybe?

Re: Port blocking
 

They are mainly from Ntl users but from all over the country, but there are a lot from all over Europe, mainly from the same French ISP but also Finland, Italy etc.

Re: Port blocking
 

Just a point - according to the port block list on NTLs website - port 135 is NOT being blocked -


Am I misreading this or is this the case ? :confused:

Re: Port blocking
 

Your misreading:

Taken from here.

Re: Port blocking
 

According to this thread and also from recent experience, this was the first port that Ntl blocked followed soon after by the ones in the list. I think that page on the Ntl website is a list of the other ports they decided to block as well.
As I mentioned I have had absolutely no 135 scans since they started blocking until this morning, now they are flooding in just as before blocking.

http://forum.nthellworld.co.uk/showt...light=Port+135

EDIT, Thanks Fawkes, was just about to post that link but you saved me the trouble. I just find it weird that no one else in the N/West has reported anything similar yet, but the night is young.:)
As you can see from attached jpeg, I am also getting 139 & 445 scans as well, even though these are supposed to be blocked.

Re: Port blocking
 

cheers for that - I missed the first bit - sorry :dunce:

Re: Port blocking
 

I can confirm that nothing is getting to me on port 135. :D

Re: Port blocking
 

I'm not surprised, they are all attacking me. Over 600 hits in the past 5 hours, ports 135/139/445 mainly, and these are supposed to be blocked.

I am going to shut down now and see what tomorrow brings.

Re: Port blocking
 

iadom...
Please check with Neil who I am, and then please pm me your details, we would like to investigate why you are getting these hits on your firewall.

Thanks
UTT

Are Isp's Right To Block Mail From Dynamic IP's ??
 

Hi All.

I know that you are not suposed to run your own mail servers on a broadband connection with NTL but many people do. I do as I simply can not rely on NTL'S poor mail servers (when they are actualy up that is ! )

I am now finding that a large number of mail servers are rejecting mail from dynamic ip's that are sent directly. I can understand why they are doing this as there must be a huge number or servers that are completely insecure or set up as open relays. This is purely down to ignorant people that simply slap on a mail server package with no knowlege of how to secure it. These users should have there cable modems inserted where the sun doesn't shine as they are giving people that do run proper mail servers a bad rep. There sulution to this is to use the NTL smtp as a smart host !!!!!! :-( NOT GOOD !!!

There are users out there that do know what they are doing and dont pose a risk as open relays or spam portals. If you are a small company like we are a leased line is out of the question.

Looks like the average home or small company has no choice but to rely on there ISP'S mail servers even though they are often unstable and usualy a bigger relay of spam than most home servers.

Does any one know if NTL have multiple mail servers in diferent parts of the U.K. or do they just have the one ?

Re: Are Isp's Right To Block Mail From Dynamic IP's ??
 

never had any problems with ntl's e-mail but are u saying that u are using the residential service for your business? surely there are plenty of private e-mail providers that will give u guaranteed service

Re: Are Isp's Right To Block Mail From Dynamic IP's ??
 

Im self employed so a business connection is simply out of my budget. I need web mail access to the server and I also need to send digitaly sig. mail out.

Re: Port blocking
 

Will do ,thanks for that. Have just booted up and the firewall was hit within seconds.

jim.

Re: Port blocking
 

Jim get that router you promised yourself for xmas it will stop them

Re: Port blocking
 

Thanks Steve, I should have put a request in the Christmas presents thread.
Strange why I have just suddenly started to get these,

PS, my memory is a bit vague this morning, I was out on my first call at 7.30 and it was b***** cold. How do I obtain my MAC address.

EDIT: Cancel that ,good old Robin Walker pages, I knew I had seen MAC info somewhere.

Re: Are Isp's Right To Block Mail From Dynamic IP's ??
 

There is a very good reason why mail sent direct from a dynamic IP can't be trusted. Although at the moment, that dynamic IP happens to belong to you, and you can be trusted, tomorrow that IP might be handed out to someone else who is running an open relay. (I know IP addresses in NTL tend to stick around, but they *can* change - mine did a couple of weeks ago after a hardware "upgrade" at NTL's end).

I agree with you that NTL's SMTP servers can't be trusted (nor can their POP3 servers for that matter), so the only real solution is to buy email services from a reliable third party. I happen to use UK Web Solutions Direct, who have been very reliable (20 quid a year for POP3, SMTP, webmail, and 100MB of web space), but I'm sure there are plenty of other suitable providers.

Re: Port blocking
 

IPconfig/all or winipcfg from run dependant on OS

Re: Merged - Port blocking
 

For attention of utt.


Here is the screen grab you requested from first bootup this morning. Still flooding in, over 400 today up to now.

Jim.

Re: Merged - Port blocking
 

I would just like to point out something in that 'FAQ'
that is complete ********, they can write OTHER viruses that exploit DIFFERENT vulnerabilities, but blaster and welchia use an RPC/DCOM exploit, and that service listens on port 135 period.
You cannot connect to it on a different port any more than you can tell a web server you want to connect to it on port 3987 rather than port 80 ( of course the owner of the machine can change the port the webserver listens on, but that is different)

Re: Merged - Port blocking
 

not really! the welchia virus was a blended threat and was active on other ports not just 135

Re: Merged - Port blocking
 

Thanks

We are looking into it

Re: Merged - Port blocking
 

it was ACTIVE on other portsd ( it uses udp port 69, tftp, to retrieve its download, but it MUST make contact on port 135 in order to infect a machine, it relies on a vulnerability within the RPC service in windows that allows arbitrary code execution, without that, it cant do anything.
Other viruses do use other vulnerabilities in other services ( 137 for example is one of the filesharing ports, which also has similar vulnerabilities ) but they are not variants of blaster, they are different viruses, ok, I maybe splitting hairs, but claiming that blaster can spread using different ports is just wrong.

Re: Merged - Port blocking
 

ok agreed. pointless splitting hairs over it. there's not likely to be too many new variants of blaster or welchia in the future and although it is possible for future variants to spread by other means, this is unlikely.

Re: Merged - Port blocking
 

There is no filesharing on port 137 - it is the NETBIOS Naming Service.

Re: Merged - Port blocking
 

Lests be honest guys. !!!

Does anyone on the net actualy need to use netbios and file/print sharing. Its so insecure that I would not dream of letting it out of my lan.

If people unbound this pointless protocols from there network or usb adaptors we would have less of these types of viruses going around.

Incidently - I am still getting a huge ammount of hits on 137 as well as spoofed 127.0.0.1 port 80 scans.

Isn't the world wide wait fantastic !!!

Re: Merged - Port blocking
 

Yes.

Re: Merged - Port blocking
 

Who....

I have never met anyone who uses it. Its not secure - its unstable and it was written for use on a lan - not the internet !!!!!!

Re: Merged - Port blocking
 

Well I thought that the reply implied who (i.e. me). :)

Define "not secure" and "unstable" - and who says it was written for use on a Lan ? (and the "internet" is basically just a big Lan anyway)

JFYI - it is perfectly secure enough for my use of it and I have never had a file transfer fail.

Re: Are Isp's Right To Block Mail From Dynamic IP's ??
 

Hi m8

The trouble is that even if you go with a static ip with someone like pipex they dont offer reverse dns. All these Isp's are simply performing a reverse lookup and rejecting the mail.

On the subject of using a third party mail server I need to know that there mail server is secure and supports encrypted mail passthrough. Not many do !!!

I know that the ip can and does change, I was simply trying to speak for caring genuine users and small business's that have this as there only option.

Cheers m8 and have a great crimbo !!!

Re: Merged - Port blocking
 

Hi pem.

It was written for use in a internal network only. Have a look at the RFC for netbios and file & printer sharing. This is why any routers in an autonamous network will stop these protocols travaling outside the network unless it is programed otherwise.

I know the guy has a bit of a big head but Gibson of www.grc.com has done a great deal of research on netbios. There is also a good paper on the subject at http://www.petri.co.il/what_is_port_445_in_w2kxp.htm

Looks like we may have to agree to disagree on this one :) :) :)

Re: Merged - Port blocking
 

Indeed we will - but thanks for the links - I will have a look at them over xmas. :D

Re: Merged - Port blocking
 

Have a good christmas - and dont get too drunk :beer:

Re: Merged - Port blocking
 

pem & stuartbe:

You are arguing over different things, and you're both right in your separate ways.

In the beginning, there was only NetBIOS, and it was both (a) a LAN-only protocol, and (b) an API specification for networking, that applications and services could write to. The low-level protocol was layered on 802.2.

IBM and Microsoft developed the SMB protocol for file and print sharing, and layered it on top of NetBIOS.

As networking developed, the protocol and the API were split apart. The low-level protocol became known as NetBEUI, while the high-level API remained called NetBIOS.

NetBEUI was and is a LAN-only protocol, which relies on system-wide broadcasts for locating other nodes, and cannot be routed.

NetBIOS was then ported onto several other transport protocols besides NetBEUI. One of those was IPX/SPX in Netware environments. Another was TCP/IP. The NetBIOS port onto TCP/IP uses the well-known ports 135-139. This enables applications written to the NetBIOS API to communicate over any of the underlying transport protocols (NetBEUI, IPX/SPX, TCP/IP) without being aware of which protocol they are using.

Because Microsoft/IBM file and print shaing used SMB (now also known as CIFS), which was layered on top of NetBIOS, this meant that file and print sharing could occur over any of the underlying low-level protocols: all of them were supporting SMB via NetBIOS.

There is no reason why the Filesharing-SMB-NetBIOS-TCP/IP stack cannot be routed over the internet and support long-distance file and print sharing. By default all IP routers support this because the traffic is indistinguishable from all other IP traffic, apart from port numbers. The downside to this is that it exposes the entire NetBIOS interface of each PC to the internet, and the NetBIOS API had no security model.

With Win2K and XP, Microsoft ported the SMB/CIFS filesharing protocol (which does have an inbuilt security model) to a direct TCP/IP transport on port 445, eliminating the NetBIOS layer. For backward compatability with Win9x systems, they left the NetBIOS transport still enabled by default. The port 445 implementation is perfectly capable of long-haul connections over the internet.

So now, 2K and XP users can do filesharing by any of the following stacks:

SMB -> TCP/IP port 445 -> LAN & internet
SMB -> NetBIOS -> TCP/IP ports 135-139 -> LAN & internet
SMB -> NetBIOS -> IPX/SPX -> LAN only
SMB -> NetBIOS -> NetBEUI -> LAN only

NTL, and many other ISPs, have now blocked both 135-138 and 445, thus making MS filesharing impossible over the broadband connection. If you need to do MS-style filesharing over the internet, you should set up VPN servers/clients and use PPTP or L2TP as the transport over the broadband connection, which imposes another layer of security and authentication over these links.

Re: Merged - Port blocking
 

Thanks RDHW

I can se you think in cisco and not microsoft.

I wonder where we would be now if Xerox had not got envolved in tcp/ip !!!

Maybe everyone would be file sharing using tftp :) :) :) :)

Re: Port blocking
 

Just to update anyone who is interested,:zzz:

Since this started last Monday the 15th, my firewall has now logged over 8,000 hits, mainly port 135/445, almost 75% from ntl users, and my PC is not switched on all day.
I have been in contact with John in Swansea ( a very pleasant man ) and it would appear that I have bowled them a googly. Over the weekend, at their request, I added 3 IP addresses they supplied to my firewall trusted zone, to allow them to carry out some tests on the system. To date they are saying that the ports on this part of the network are definately blocked, it does seem that I am quite unique at the moment. They are now in possession of my firewall logs for Sat/Sun so watch this space.

I am not in the least worried about this, but I am intrigued as to why I suddenly started to get these hits when I have had none of this type since the port blocking was enabled.

Re: Merged - Port blocking
 

Well, fingers crossed, the torrent of 135/445 scans seems to have stopped.

Yesterday I had 350 firewall hits in 4 hours, today the PC has been on for 90 minutes and has registered only 4 hits, none to ports 135/445.

I would still like to know who or what was responsible for the massive amount of 135/445 scans I received over the past couple of weeks.:confused: :confused: