Re: [Cs-club] Why IRC is blocked on campus

[Curreri <Anthony Curreri>]

Simply blocking netbios ports could keep more computers from being 
compromised (potentially, i'll explain in a moment).  But any computer that 
was compromised and not cleaned would continue to be an IRC bot.  Being 
that there are thousands of computers on campus, it would be impossible to 
track them all down before un blocking the port, as conceptually, someone 
would have to physically visit all machines.  The tech department on campus 
has been horribly behind until recently, they are just now beginning to 
catch up.  Even if they had the manpower to visit all machines, each 
computer seems to have been compromised manually, by a person, so there are 
no static indications of the attack.  Each computer has its nuances, which 
would make for a long time to thoroughly check each machine.  Alternately, 
we could unblock the port and diligently watch the traffic, to detect each 
IRC bot, and systematically remove them.  That too, takes time.

However, a compromised computer is known in the security world as being 
"owned".  Once a computer is owned it is not your computer anymore.  I 
believe it would be possible for someone to use a compromised computer to 
compromise other computers inside our network, because once they are inside 
the netbios ports are no longer blocked from them.  Does this make sense to 
anyone?

Netbios was not blocked because of university philosophy that drives 
network philosophy.  Universities want everything to be open in the 
interest of study.  Therefore a university network policy is to keep all 
ports open so people can explore.  The campus network started with all 
ports open, and when problems arise we close them.  A business, in 
contrast, knows what applications they want their employees to use, so they 
close all unneeded ports.  Does this make sense?

I'm sorry if these points have not been articulated fully.  Please ask me 
any questions you may have.

Tony Curreri

At 07:52 AM 9/30/02 -0600, Brian Haynes wrote:
> ---<snip>---
> Would anyone care to know why IRC is blocked?
>
> We were having a problem with computers all over campus, MIO servers, GIS 
> lab computers, a few over in clow teaching, even our own laptop in the 
> networking department.  These computers were compromised via a 
> vulnerability with Windows Netbios ports (like port 447 or something) 
> wherein the attacker would get a command line going on the machine, once 
> he/she owned the machine they would set up an IRC bot and use it to host 
> files.  Files like "big time racing" (a crappy video game) and moviez 
> (haha, I used a 'z').  So we blocked the netbios ports and the IRC 
> port.  They should not be able to compromise more machines, but IRC is 
> blocked to keep them from using the machines that are already 
> compromised.  For now, IRC is blocked indefinately.  It seems that it will 
> be blocked until someone can come up with a legitimate use for IRC, as 
> right now it is seen by campus network security people as a theat.  And 
> no, chatting is not a good enough reason--use AIM (er, GAIM) or something to !
> chat :)
> ---<snip>---
> Maybe I don't understand this correctly, but couldn't you simply block 
> Netbios, remove the IRC bot from the compromised machines, and be fine?
> Secondly, why wasn't Netbios blocked from the outside anyhow?  In my 
> understanding, there should be no reason why you would need to connect to 
> a machine outside campus using Netbios, hence why you can block it and no 
> one cares.
> I wonder if someone was trying to pull the same exploit on my laptop the 
> other day.  Four or five IPs kept sending UDP packets to ports 1025 and 
> 1026 (Netbios) and ZoneAlarm just kept blocking them. :)
>      -Brian
> --
> __________________________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> _______________________________________________
> Computer Science Club's mailing list
> cs-club@list.acs.uwosh.edu