Security: UCI campus blockade of NetBIOS and other special ports.
NACS > Support > Security > NetBIOS and Special Port Blocking
Summary: NetBIOS, MS-SQL, lpd, other ports (135, 137-179, 445, 515, 593, 1433, 1434) are blocked at the campus border to protect against scans and certain attacks and worms. This affects users who use certain Microsoft Windows functions from off-campus (such as Exchange or shared files).
| What are NetBIOS Ports? | What ports are blocked? | Really a problem? | What is affected? | Shares |
NetBIOS and Special Ports Blocked
As of 8 a.m., November 5, 2002, Microsoft Windows NetBIOS and certain other well-known Microsoft Windows ports became unavailable from off campus. Certain ports are blocked at the UCI campus border to protect campus systems from common hostile scans and certain types of attacks and Internet worms. The decision to block these ports was made in consultation with with UCI School Computing Coordinators (SCCs). Network and Academic Computing Services (NACS) had placed these restrictions in order to protect campus computers from unauthorized access to these ports.
At this same time, a campus VPN service became available which allows authorized users to by-pass the blocked ports. Users of Cox cable modems and of AT&T broadband services have had NetBIOS ports blocked by their ISP for some time now. The campus VPN service also offers help to these users.
|
NetBIOS ports are required for certain Windows network functions such as file sharing. But these ports also provide information about your computer which can be exploited by attackers, and also contain vulnerabilities which are widely used to break into systems and exploit them in various ways. Because they are used for file sharing, these ports can be used to get to data on your computer by unauthorized individuals.
What ports will be blocked, and where?
Ports Blocked
- NetBIOS
- lpd tcp: 515
- MS-SQL TCP: 1433
- MS-SQL UDP: 1434
- TCP and UDP Ports: 135, 137-139, and 445
- UDP Port 593
Where are the ports blocked?
- Campus border router - all traffic in and out of UCI goes through here
Where are the ports NOT blocked?
- Campus (824-9999) dial-in modems
- Other dial-in modem pools (at this time)
- Between Residential Housing and campus hosts
Is there really a problem with these ports?
Yes! While NACS realizes that it is inconvenient to some users that these ports are blocked, the majority of computers at UCI do not require them. Most people do not share files using Windows file sharing mechanisms. However, these ports are usually open on most Windows based computers. Unsuspecting members of the campus community have their computers hacked daily. The School Computer Coordinators (SCCs) are behind stopping this activity using the blockade. In fact, here is a sample email from Steve Carlyle, Computer Resource Manager in the School of Biological Sciences, and an SCC on campus.NetBIOS ports 137, 138, and 139 are sometimes called "Scanner Bait" ports (and lately, 445 is getting scanned a lot also), because when detected by hacker scanners offer an enticing target. Scanners--which are freely downloadable from the Internet--seek out and locate Windows file and printer shares. Malicious computer vandals leave these scanners running 24 hours a day, collecting IP addresses that look vulnerable or have Windows shares to try to exploit. UCInet is scanned constantly by such scanners. If your IP address is one selected, these vandals "map" that shared file or hard drive onto their local drive letters to gain access to your computer's files. (For more information on this, visit the Web pages on this subject created by Steve Gibson, Gibson Research Corporation, at http://grc.com/su-danger.htm )
Internet Security Systems (ISS) says on one Web page discussing port 139 that it, "is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to."
But beyond just the NetBIOS ports, this blockade extends to all Microsoft ports documented in the Internet Assigned Numbers Authority (IANA) port registry. Most security experts block all of these ports--inbound and outbound-- through a firewall, unconditionally. The reason for this is that new vulnerabilities are continually being discovered which are exploited through these ports and it is unrealistic to expect all campus computers to be fully patched against these exploits 100% of the time. As an example, the so-called Slammer worm hindered the operation of hundreds of thousands of computers, slowed Internet traffic and disrupted thousands of A.T.M. terminals during the weekend of January 24th through the 26th, 2003. This worm, which exploited weaknesses in UDP port 1434 (used by Microsoft SQL software) even compromised machines at Microsoft Corporation itself, as reported by this January 28th, 2003, New York Times article.
The reasons for the addition of port 593 to the list of ports blocked at the UCI campus network border is documented in vu_no_568148-port_593.html.
So, tell me again, what is affected?
- Ports 135, 137-139, 445 and 593 are blocked.
This will affect off-campus computers who wish to connect to on-campus Windows shares (shared drives or directories or files or printers) and login to Windows boxes on campus from off campus, unless one is using a campus VPN connection.. - Residential Housing computers on 128.195.xxx.xxx networks won't be affected sharing to and from campus, but will be blocked from networks outside of UCI like all other campus computers. This will also stop malicious scanners from identifying your shared resources. These ports will be invisible to scanners.
- MS-SQL ports 1433 and 1434 are blocked, and access to on campus Microsoft SQL servers on campus is affected for off-campus computer users unless they are using a campus VPN connection.
- Access to lpd (line printer daemon) services on campus from off-campus computers is affected unless the computers off campus are using a campus VPN connection.
What can I do if I want to use shares?
If you are affected because you mount campus shares from off-campus, the campus VPN service provided by NACS will allow you to continue to mount the shares. On-campus file-sharing is not affected, and the VPN is not required for that. The VPN service provides an authenticated way for you to bypass the port blocking on the border router, and encrypts the traffic so no one can watch your traffic and pick out passwords or other sensitive information.
More information on the VPN service is available at http://www.nacs.uci.edu/security/vpn.html Remote logins may be done using W2k's Terminal Services or XP's Remote Desktop.
NACS > Support > Security > NetBIOS and Special Port Blocking
University of California, Irvine