Legit traffic misread and shut down in Blaster panic

In a frank and brave assessment of the W32.Blaster worm fallout, Expert Information Services technical director Daniel Piva said there was plenty of overreaction by Australian enterprises.

With nearly a decade of experience providing IT security consultancy to some of Australia's biggest names including the National Australia Bank, ANZ, Telstra and the federal government, Piva said blue-chip companies went into unnecessary panic.

He said there are examples of leading companies mistakenly diagnosing healthy traffic as a Blaster worm attack, shutting down critical applications at a hefty cost to the organisations.

"There was shutdown for legitimate traffic and the mistake was only realised later," Piva said.

While companies move swiftly in times of worm outbreaks, on the whole, Piva believes companies are in a state of denial when it comes to the security of their IT systems.

The security focus has always been at the infrastructure level, he said, with the application layer neglected.

"Both are managed independently, opening the door for security breaches; with the advent of Web services there will be more app-to-app communications creating real potential for exposure," Piva said.

In the wake of the Blaster worm, the SANS Institute has called on Internet service providers (ISPs) to take security matters into their own hands by blocking access to communications ports on their customers' computers.

Entitled "Internet Service Providers: The Little Man's Firewall," the report was written by Johannes Ullrich, chief technology officer of the SANS Internet Storm Centre, which uses a worldwide network of sensors to track virus outbreaks and other events on the Internet.

The report identifies four communications ports that are commonly left open on Microsoft Windows machines so that users on an office or home network can share files between two Windows systems. However, those ports were never intended to be used to access files over an insecure public network like the Internet, Ullrich said. At least one of the ports, 135, was used by Blaster to locate and infect vulnerable Windows machines on the Internet.

But the four ports were known as handy access points for loosely secured Windows machines long before Blaster appeared in early August, Ullrich said.

"These machines are taken out on a regular basis and used in large scale DDoS (distributed denial of service) attacks," he said. By blocking the ports centrally, ISPs would close an open doorway for attackers without requiring any action by their customers, the report said.

However, Ullrich acknowledged ISPs that serve corporate customers or larger, Internet backbone providers could disrupt customers' networks using a blanket-approach port closure.

Join the newsletter!

Error: Please check your email address.

More about ADVENTANZ Banking GroupInfosys Technologies AustraliaMicrosoftNational Australia BankSANS InstituteTelstra CorporationThe SANS Institute

Show Comments