[Techtalk] How to block Blaster Worm from iptables ?

Brenda Bell k15a-list-linuxchix at theotherbell.com
Sat Aug 23 12:22:59 EST 2003

Quoting perimorph <perimorph at mindspring.com>:

> Mohammad,
> I think the best thing to do would be to block both incoming and
> outgoing traffic on the two vulnerable ports.  The infected clients
> will
> still attempt to send packets, but your firewall should silently drop
> them.  That should prevent the virus from getting worse until the
> infected machines can be cleaned.

A solid firewall should only open the ports that are absolutely required. 
I have a NetBSD firewall whose rules initially deny everything to everyone.
 Subsequent rules then open up selective ports (80, 25 and VPN).  Since
Blaster initially comes in over NetBios and then switches ports, it hasn't
been able to penetrate my firewall.

Furthermore, if you think you have to have the NetBios ports open, I'd
recommend taking a serious look at your network infrastructure.  Keeping
these ports open will make it impossible to avoid problems in the future.

> When you said allowing the infected machines to use the network slowed
> it down, did you mean it slowed down your LAN, or it slowed down your
> internet access?  Blocking it from the firewall will only help with the
> internet's speed.  Also, this will do nothing to keep the virus from
> spreading across your LAN if the computers have access to each other. 
> Since these are Windows machines, I'd strongly recommend asking your
> clients to use a basic firewall program such as Zone Alarm to prevent
> worms from spreading internally.

Based on what I've read about Blaster, I believe that internal machines
could only infect each other by first infecting a web server on the
internal network.  I'm not sure this is possible, but I could be wrong.


More information about the Techtalk mailing list