Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 1 - Port 445 - SMB over TCP

Published: 2009-09-30
Last Updated: 2009-10-01 20:43:23 UTC
by Chris Carboni (Version: 1)
4 comment(s)

Port 445 provides SMB over TCP.  From Microsoft  "Windows supports file and printer sharing traffic by using the Server Message Block (SMB) protocol directly hosted on TCP. This differs from earlier operating systems, in which SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport."

If not at the top of the list, port 445 is always somewhere in the Top 10 list generated from Dshield data for targets, sources and reports.  Just a quick look at the activity graph shows a huge number of systems that are scanning from and being scanned on 445.  This has become much of the background noise on the Internet.

And it's no wonder.  How many worms and bots can you think of off the top of your head that use 445 to scan or exploit other systems?

If you're reading this diary, then hopefully you know to make sure port 445 is blocked at your firewall.  If, for some reason you didn't know to do this, stop what you're doing and block it now.  I'll wait.  :)

Blocking 445 at the firewall is relatively easy and solves many problems.  The real issue with 445 internal.

445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally.

So what can you do to protect yourself?  If you have a good way to limit internal traffic on port 445 in your network, send us a note or leave a comment and I'll post interesting notes as they come in.

Tracy sent a note mentioning one of my favorite was to mitigate exposure due to 445 being open internally, HIPS.

He writes,

There are several great tools out there that you can use, my preference is a Host based IPS (HIPS).  Depending on the maker of the product you have a wide array of options that you can use to keep the system safe.  Some HIPS programs provide the buffer overflow protection for processes that are standard in MS Windows, they can detect scans of the machine and block all traffic from a host for a period of time.  Adding in the fact that they can also get signature updates and create custom signatures, this product gives you the best LAN protection with maintaining a well balanced CIA pyramid.

Well said.  Thanks Tracy!
   

 

Christopher Carboni - Handler On Duty

Keywords:
4 comment(s)
Diary Archives