ntl blocking more worms

[Ramrod]

Quote:

Cable telco NTL is blocking more Internet ports to stop worms from spreading across its network. Last month it blocked port 135. Now it is blocking (inbound only): 137 (UDP), 138 (UDP), 139 (TCP), 445 (UDP & TCP), 593 (TCP), 1433 (TCP), 1434 (UDP) and 27374 (TCP).

"This 'port-blocking' should have little or no effect on your use of the Internet but it will significantly reduce the vulnerability to infection from variants of the Welchia and MSBlast worms," NTL explains in a notice to subscribers. Welchia and MSBlast are also known as Nachi and Blaster, respectively. NTL hopes to shepherd users with virus infection to special websites to help them clean their computer.

A recent study by network traffic management firm Sandvine estimats that computer worms such as Blaster will cost UK ISPs â‚ ¬22.4m this year. Although worms are usually associated with attacks on corporate networks, the malicious traffic also ties up service provider networks, degrading the broadband experience for home Internet users. Meanwhile, outbreaks of computer worms generate a huge upsurge in support calls to ISPs.

NTL's measures are a rational response, but the move will create problems for some home users who need to use Windows File and Print Sharing over the Internet or run applications like Exchange at home. This minor inconvenience is considered by NTL to be a price worth paying in the fight against worms. ®

link

[Alan Waddington]

I think they were blocking those before, except 593 which is a new one on me. I'd really rather they didn't block ports above 1024 though.

[MetaWraith]

the announcement notice is at
http://www.ntlworld.com/tunnel.php?task=portBlocking

Quote:

Originally Posted by Alan Waddington

I think they were blocking those before, except 593 which is a new one on me. I'd really rather they didn't block ports above 1024 though.

It does seem pretty stupid to introduce "protection" that can generate page not found errors.

Are NTL going to actively inform customers of this change?

[altis]

As previously announced in this thread:
http://www.cableforum.co.uk/board/showthread.php?t=3427

Quote:

Originally Posted by dr wadd

It does seem pretty stupid to introduce "protection" that can generate page not found errors.

Are NTL going to actively inform customers of this change?

There is nothing new in that list - it is the same ports they have always been blocking.

[andrew_wallasey]

Quote:

Originally Posted by dr wadd

It does seem pretty stupid to introduce "protection" that can generate page not found errors.

Are NTL going to actively inform customers of this change?

Why would they?

It would go straight over 99.9999999% of most users heads and involve a lot of people phoning up c/s confused about the letter.

[Stuart]

Quote:

Originally Posted by dr wadd

It does seem pretty stupid to introduce "protection" that can generate page not found errors.

Are NTL going to actively inform customers of this change?

Which would you rather have? A few page not found errors or potentially thousands more PCs infected by viruses because their owners haven't bothered to patch them? At least with the most common ports blocked (which NTL have done), then there is less chance of infection.

[Matth]

If they were TRUE inbound connection blocks, they would have no effect on web pages - if they could implement them that way, there's a sizeable shopping list of ports I'd like to see added.

2745, 5000, 5554, 6129, 9898 - and possibly 1025-1029
In other words, most of the pollution that's currently around - probably less than the junk they're already blocking - my firewall logs got a hell of a lot shorter when they did that!

Quote:

Originally Posted by Matth

If they were TRUE inbound connection blocks, they would have no effect on web pages - if they could implement them that way, there's a sizeable shopping list of ports I'd like to see added.

2745, 5000, 5554, 6129, 9898 - and possibly 1025-1029
In other words, most of the pollution that's currently around - probably less than the junk they're already blocking - my firewall logs got a hell of a lot shorter when they did that!

They are true inbound syn blocks.

As its the CM's that are doing the blocking their may be a limit to how many they can do. It's also somewhat pointless as nothing on your machine should be listening on those ports anyway (which is also the case for port tcp 27374).

[nate]

Quote:

Originally Posted by Pem

They are true inbound syn blocks.

As its the CM's that are doing the blocking their may be a limit to how many they can do. It's also somewhat pointless as nothing on your machine should be listening on those ports anyway (which is also the case for port tcp 27374).

AFAIK it's not the CM's doing the blocking, as the same ports are blocked on dialup too, new ports will be blocked as and when needed.

[quadplay]

For broadband customers, the blocking is done by the CM or STB. For narrowband customers, it's done elsewhere.