zotob - blocking tcp/445

Thu Aug 18 17:08:13 UTC 2005

On Thu, 18 Aug 2005, Roger Marquis wrote:

> My question is not what can we do about bots, we already filter
> these worst case networks, but what can we do to make it worthwhile
> for bot-providers like NETNET to police their own networks without
> involving lawyers?

Establish and document a history that determines peering with that 
network, or it's providers, presents a significant risk to your network, 
or that of your customers.

If you've got a view into your traffic that looks like this:
(Select source, proto, dstPort, count(destination) from flows where 
packets < 4 group by source, proto, dstPort order by count descending)

Source  	proto   dstPort count
62.149.195.129  6       42      13018 
203.69.204.250  6       445     12889 
213.123.129.237 1       2048    12693 
70.17.255.43    6       443     12685 
217.132.56.139  6       4899    11056 
209.181.111.12  6       135     8148 
221.210.149.97  6       4899    7368 
212.24.201.220  6       135     6451 
172.131.83.244  6       135     6025 
209.188.172.66  6       445     5055 
80.177.36.162   6       445     4982 
64.121.65.197   6       4899    4262 
64.32.117.250   6       135     3954 
213.144.99.241  6       445     3493 
64.231.44.65    6       135     3157 
213.123.129.237 6       139     2988 
222.84.236.98   6       1023    2414 
222.84.236.98   6       9898    2398 
64.228.209.103  6       135     2305

Determining who to consider peering with gets a lot easier. (ASN's left 
off to annoy the truly curious.)

As a provider, we don't want to be filtering heavily, as it invariably 
leads to making allowances for Customer X. The management overhead, as 
well as the impact on packet processing, is too great. It's easier for us 
to be able to monitor and report to our customers what's affecting them, 
and make sure they have the right tools in place to protect them from 
these kinds of shenanigans.

- billn