Export (0) Print
Expand All

Learn How Your ISA Server Helps Block Blaster Traffic

Cc302615.note(en-us,TechNet.10).gifNote:
This page was first published on August 13 and 15. This page is the third version and was posted on August 22, 2003 at 11:00 A.M. Pacific Time. The second version added a section about additional TCP/UDP ports that should be closed. This third version updates the port list and adds two more executables to the Firewall Application settings.

The first course of action taken against the W32.Blaster.Worm (Blaster) must be protecting and patching all affected computers. Find out what you should know about the Blaster worm. Blaster exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 to help prevent malicious traffic created by Blaster and its variants and to possibly prevent computers on internal networks from additional infection. Unpatched servers running ISA Server in cache mode do not have any protection against Blaster and are themselves vulnerable to attack by this worm.

The first section of this article contains technical details about Blaster:

In addition, this article details three scenarios where ISA Server can mitigate a Blaster attack:

This article also discusses:

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user's own risk.

Table 1 lists affected ports known to be used by Blaster and its variants with potential vectors for exploiting the RPC vulnerability in MS03-026.  At the minimum, you should block those ports used by Blaster. Additionally, you should seriously consider blocking the other ports listed in Table 1. This data is current as of 12:00 P.M. on August 21, 2003; visit the PSS Security Response Team Alert—New Worm: W32.Blaster.worm page for the latest information.

# Port Number IP Protocol Known to Be Used by Blaster?

1

135

TCP

Yes

2

139

TCP

 

3

445

TCP

 

4

593

TCP

 

5

3333

TCP

Yes

6

4444

TCP

Yes

7

69

UDP

Yes

8

135

UDP

 

9

137

UDP

 

10

138

UDP

 

11

666–765

TCP

Yes

By default, servers running ISA Server in firewall or integrated modes effectively help protect against Blaster by blocking the external attacks on the affected ports.

For the network protected by a server running ISA Server to be vulnerable, specific rules would need to be written to allow traffic on these ports.

  • DO enable Internet protocol (IP) packet filtering.
Cc302615.note(en-us,TechNet.10).gifNote:
Customers who have not enabled IP packet filtering should review the packet filtering section of this page.
  • DO use predefined remote procedure call (RPC) protocol definitions when writing server publishing rules. Servers running ISA Server using "Any RPC Server" or "Exchange RPC" will allow normal operation, in addition to protecting internal servers from the worm.
Cc302615.note(en-us,TechNet.10).gifNote:
For instructions on how to do this, review the server publishing rules section of this page.
Cc302615.Caution(en-us,TechNet.10).gifCaution:
Do not create server publishing rules using the ports listed in Table 1.

Default installations of ISA Server in firewall or integrated mode prevent the spread of Blaster to external networks (through Trivial File Transfer Protocol or TFTP). However, if your ISA Server is configured with an "allow all" policy for outbound traffic, then you must create protocol rules to block Blaster on its known ports.

To help prevent outbound attacks through ISA Server:

  • DO create protocol rules that block traffic on all ports listed in Table 1.
Cc302615.note(en-us,TechNet.10).gifNote:
Customers who have not blocked this traffic should review the block outbound traffic procedure on this page. Blocking port 135 TCP outbound will prevent outbound RPC traffic from working across ISA Server.
  • DO disable the Firewall Client for malicious Blaster processes, if the Firewall Client is being used in your environment. If all outbound access is authenticated, this will prevent the worm from acting as a Firewall Client through ISA Server.
Cc302615.note(en-us,TechNet.10).gifNote:
For instructions on how to do this, review the server publishing rules section of this page.
Cc302615.Caution(en-us,TechNet.10).gifCaution:
For instructions how to do this, review the disable malicious Blaster processes section on this page.

A computer that has ISA Server installed is vulnerable to internal attack by the Blaster worm if the attack originates from a computer that is in the ISA Server local address table (LAT). It is vulnerable to external attack if an IP packet filter exists that allows inbound traffic on port 135 TCP.

Cc302615.Caution(en-us,TechNet.10).gifCaution:
To help protect the ISA Server computer itself from a Blaster attack, do not create an IP packet filter that allows inbound traffic on port 135 TCP.

To enable IP packet filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
  2. Right-click IP Packet Filters, select Properties.
  3. Check the Enable Packet Filtering box.
  4. Click OK.

To verify that no server publishing rules use user-defined 135 protocol definitions:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>,  Policy Elements.
  2. Click Protocol Definitions.
  3. In the right-side pane, click the Port Number column header to sort the list by port number.
  4. Write down the names of any protocol definitions that have port number 135 and "User" in the Defined By column.
  5. In the left pane, expand Publishing.
  6. Click Server Publishing Rules.
  7. Examine all the server publishing rules. If anything in the Protocol column matches the name of a protocol definition that you wrote down in Step 4, that server publishing rule must be disabled or deleted. Use the ISA Server default protocols for RPC instead.

If you are using an "allow all" policy for outbound traffic, protocol definitions need to be created for all ports listed in Table 1, except for #6 (a definition for port 69 UDP already exists and is called TFTP). You should create a protocol definition for each port to be blocked, where:

  • <port number> is the number of the port from the second column of Table 1
  • <IP protocol> is either TCP or UDP

To block outbound traffic on known Blaster ports listed in Table 1:

Cc302615.note(en-us,TechNet.10).gifNote:
Where a listing includes a range of ports, you must repeat Steps 2–8 for each port in the range.
  1. In ISA Management, expand Servers and Arrays, <ISA name Server>, Policy Elements.
  2. Right-click Protocol Definitions, point to New, and then click Definition.
  3. Type Blaster (<port number>, <ip protocol>) in the Protocol Definition Name dialog box and then click Next.
  4. Type <port number> in the Port Number dialog box.
  5. Select <protocol type> in the Protocol Type drop-down list.
  6. Select Outbound from the Direction dialog box.
  7. Click Next.
  8. Select No from the Do you want to use secondary connections? option, and then click Next.
  9. Click Finish.

To prevent traffic on known Blaster ports:

  1. In the left pane, expand Access Policy.
  2. Right-click Protocol Rules, point to New, and then click Rule.
  3. Type Block W32.Blaster.worm in the Protocol Rule Definition Name dialog box and then click Next.
  4. Select Deny from the Response to client requests to use this protocol option.
  5. Select Selected protocols from the Apply this rule drop-down list.
  6. In Protocols, check the boxes for the newly created protocol definitions in Steps 1–9 and TFTP.
  7. Click Next.
  8. Select Always from the Use this schedule drop-down list and then click Next.

The malicious blaster processes known at this time are msblast, penis32, teekids, dllhost, and mspatch. A Firewall Client rule must be created for each process.

To disable the Firewall Client for malicious Blaster processes:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>.
  2. Click Client Configuration.
  3. In the right pane, right-click Firewall Client and then click Properties.
  4. Click the Application Settings tab.
  5. Click New.
  6. Type msblast in the Application dialog box.
  7. Select Disable from the Key drop-down list.
  8. Select 1 from the Value drop-down list.
  9. Repeat Steps 6–8 two more times, replacing msblast with the other process names.
  10. Click OK.
  11. Click OK.

Disabling the Firewall Client for msblast.exe only prevents the malicious processes on an infected LAT host from acting as a Firewall Client. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across ISA Server, make sure that therne are no anonymous Site and Content or Protocol rules.)

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft