Filtering MS UDP ports?
Thomas T. Veldhouse
that I know has its firewall configured to block all incoming UDP requests,
and yet, I see the following:
PORT STATE SERVICE
135/udp open msrpc
136/udp open profile
137/udp open netbios-ns
138/udp open netbios-dgm
139/udp open netbios-ssn
520/udp open route
Thoughts?
--
Thomas T. Veldhouse
Key Fingerprint: 2DB9 813F F510 82C2 E1AE 34D0 D69D 1EDC D5EC AED1
Barry Margolin
"Thomas T. Veldhouse" <vel...@yahoo.com> wrote:
> Does Comcast filter the Microsoft UDP ports by default? I just scanned host
> that I know has its firewall configured to block all incoming UDP requests,
> and yet, I see the following:
>
> PORT STATE SERVICE
> 135/udp open msrpc
> 136/udp open profile
> 137/udp open netbios-ns
> 138/udp open netbios-dgm
> 139/udp open netbios-ssn
> 520/udp open route
>
> Thoughts?
They claim to filter the netbios ports. I don't think they filter port
520 -- I can't think of a reason why they should.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
Rick Merrill
> In article <a_6dnQwQTqYFagvZ...@giganews.com>,
> "Thomas T. Veldhouse" <vel...@yahoo.com> wrote:
>
>
>>Does Comcast filter the Microsoft UDP ports by default? I just scanned host
>>that I know has its firewall configured to block all incoming UDP requests,
>>and yet, I see the following:
>>
>>PORT STATE SERVICE
>>135/udp open msrpc
>>136/udp open profile
>>137/udp open netbios-ns
>>138/udp open netbios-dgm
>>139/udp open netbios-ssn
>>520/udp open route
>>
>>Thoughts?
>
>
> They claim to filter the netbios ports. I don't think they filter port
> 520 -- I can't think of a reason why they should.
>
Could that be for mainly historical reasons? Weren't some of the early
connections (e.g. in CT) built like a LAN (your neighbors could 'see'
your computer)?
Thomas T. Veldhouse
>
> They claim to filter the netbios ports. I don't think they filter port
> 520 -- I can't think of a reason why they should.
>
I know that none of the ports I listed were actually open on the machine that
I scanned.
Steve Baker
<vel...@yahoo.com> wrote:
>Does Comcast filter the Microsoft UDP ports by default? I just scanned host
>that I know has its firewall configured to block all incoming UDP requests,
>and yet, I see the following:
>
>PORT STATE SERVICE
>135/udp open msrpc
>136/udp open profile
>137/udp open netbios-ns
>138/udp open netbios-dgm
>139/udp open netbios-ssn
>520/udp open route
>
>Thoughts?
What did you use to get that info? No response at all is reported as
"open" by nmap (see below). If other UDP ports are reported as "closed",
that means that the host is *not* blocking UDP packets.
Fooling around a bit indicates that those ports are filtered by
Comcast... but I can't be sure that they're not filtered by the host/ISP
I was testing from.
"UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. The technique is to send 0 byte
udp packets to each port on the target machine. If
we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is
open."
--
Steve Baker
Thomas T. Veldhouse
Exactly. The machine responded unreachable only for those ports ... but those
ports were not configured differently than any other UDP port, which were all
closed on that machine. Sounds to me like Comcast is simply taking UDP
packets directed at those ports and dropping them into the bit bucket.
Barry Margolin
Which is exactly what you'd expect filtering on a cable modem to do.
Thomas T. Veldhouse
Which is exactly why I asked if anybody knows of active filtering by Comcast,
because I seem to be seeing proof of it. I don't mind these ports being
filtered, as long as it is limitted to those ports.
D
It is only limited to those ports specially port 135. It is part of Comcast
security policy!
"Thomas T. Veldhouse" <vel...@yahoo.com> wrote in message
news:RqKdnSZSvuK2oQTZ...@giganews.com...
Steve Baker
I agree with your conclusion, but... a couple things aren't quite
adding up. The machine did not respond with "unreachable" for those
ports, it didn't respond at all (it didn't see the packets). The ports
reported as "closed" triggered an "unreachable" response. That sounds
like just tripping over terminology, except that you said "I just scanned
host that I know has its firewall configured to block all incoming UDP
requests". That host is *not* blocking incoming UDP packets, it is
receiving them and responding to them.
BTW, Comcast is also filtering TCP ports 135-139, and 445.
And another one over 1023, I'm pretty sure, but I don't remember which
one.
--
Steve Baker
Thomas T. Veldhouse
> On Tue, 20 Jun 2006 08:45:22 -0500, "Thomas T. Veldhouse"
> <vel...@yahoo.com> wrote:
>
>>Exactly. The machine responded unreachable only for those ports ... but those
>>ports were not configured differently than any other UDP port, which were all
>>closed on that machine. Sounds to me like Comcast is simply taking UDP
>>packets directed at those ports and dropping them into the bit bucket.
>
> I agree with your conclusion, but... a couple things aren't quite
> adding up. The machine did not respond with "unreachable" for those
> ports, it didn't respond at all (it didn't see the packets). The ports
> reported as "closed" triggered an "unreachable" response. That sounds
> like just tripping over terminology, except that you said "I just scanned
> host that I know has its firewall configured to block all incoming UDP
> requests". That host is *not* blocking incoming UDP packets, it is
> receiving them and responding to them.
>
You are correct, I mistyped. That machine would have responded unreachable
for those ports, but instead I am seeing open on the remote scan. Hence, I
believe it to be the result of Comcast filtering those ports.
> BTW, Comcast is also filtering TCP ports 135-139, and 445.
> And another one over 1023, I'm pretty sure, but I don't remember which
> one.
>
The ports I listed are UDP ports. Here is what I see with TCP.
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
Again, all ports on that machine should be closed or unreachable.
Ken
available. MS has done a number of changes over the years and recent
updates may have changed things. But, netbios may be enabled on your
system. Few require it. But, if it is enabled their firewall will
probably allow it.
You can search Google using PORT TEST and find any number of sites that
will probe your computer. Steve Gibson's site will test the first 1024
and show the results in a minute or so. It is a reliable tester that's
been around for a long time.
I use a hardware firewall that requires me to make ports available as I
have it installed. I have PnP disabled. XP allows process to open
ports at will unless you have a firewall that has been disabled for PnP
port configuration.
An interesting program to put on one's system is Peer Guardian. Its
major claim to fame is blocking RIAA penetrations but it includes a lot
of 'evil doers' that have been identified. It is an open source program
and interesting to have as it reports sites that are on a very large
list that try to access your system. You might be surprised by the
activity headed your way.
My suggestion to anyone is to use a router with a stateful firewall.
http://en.wikipedia.org/wiki/Stateful_firewall The older versions from
good vendors can be picked up for around $20. I ran one when I had a
single computer attached to the network. It is also very helpful if you
don't have a lot of memory. It moves processing entirely off the
computer. Most come with a program that controls flow out of the
computer. You must authorize all programs that access the net--even
parts of the OS. This gives you control over possible trojans.
Ken
Thomas T. Veldhouse
> Go to one of the port test sites. When I do, those ports are not
> available. MS has done a number of changes over the years and recent
> updates may have changed things. But, netbios may be enabled on your
> system. Few require it. But, if it is enabled their firewall will
> probably allow it.
>
Indeed not. That particular system is running FreeBSD and is completely
firewalled off (using PF). That is why I found those scan results so
peculiar.
> You can search Google using PORT TEST and find any number of sites that
> will probe your computer. Steve Gibson's site will test the first 1024
> and show the results in a minute or so. It is a reliable tester that's
> been around for a long time.
>
I use NMAP and other tools from a remote site to scan the computer.
Ken
Thomas T. Veldhouse
> Next time it might help to describe you setup in a bit more detail.
Why? Either somebody knows that they filter or they don't know. I was asking
if anybody knew whether Comcast filters those ports. My system is irrellavent
as I already know how to administor it.
Barry Margolin
"Thomas T. Veldhouse" <vel...@yahoo.com> wrote:
> Ken <ngroup....@xoxy.net> wrote:
> > Next time it might help to describe you setup in a bit more detail.
>
> Why? Either somebody knows that they filter or they don't know. I was asking
> if anybody knew whether Comcast filters those ports. My system is irrellavent
> as I already know how to administor it.
Yes, Comcast filters the NetBIOS ports. So did ATTBI and MediaOne
before they eventually turned into Comcast. I think most broadband ISPs
have been doing this on their residential lines for years -- when
broadband first started getting popular, it was noticed that many unwary
customers had file sharing enabled without proper security. There was
lots of bad press about how broadband customers were open to the entire
Internet, so most of them implemented filters on the residential lines,
and they're still there now.
Steve Baker
wrote:
>Yes, Comcast filters the NetBIOS ports. So did ATTBI and MediaOne
>before they eventually turned into Comcast.
Maybe. But port 135 didn't get filtered until a few days after Blaster
started going around.
--
Steve Baker