My applications don't work!  Did you block something that is messing me up?

February 19, 2004

Possibly.  We have blocked the following ports for security and virus vulnerability reasons:

We believe that this restriction will cause no difficulty for legitimate and properly configured services, but will reduce the speed at which certain current vulnerabilities are exploited to take control of Windows systems and others.

What's this all about?

A vulnerability recently announced in current Windows versions represents a major threat to Internet stability. Although a fix is available for individual Windows instances, the risk remaining in the substantial number of instances to which the fix has not been applied is unacceptably high.

Threat

The main published vulnerability allows complete control of a Windows computer. An attacker may use the computer for almost any purpose. In one form of exploit, the attacker installs software to attempt the same exploit on further vulnerable machines and so build up a substantial collection of computing power and network access for their own use.

While the activity is merely the gradual accumulation of control in this way, it may not have a dramatic effect on the legitimate owners' use of their computers or network. They could spot unusual patterns of connections from their compromised machines to other networks, scanning for vulnerable systems and taking them over in turn; but experience is that where a system manager has not applied the readily available fix for this vulnerability, they are unlikely to pay sufficient attention to behavior and the compromise and subsequent propagation will probably go unnoticed.

However, it is possible that a fast-spreading worm or similar program could use the same vulnerability. The propagation activity itself will then be a severe strain on networks, irrespective of any damaging payload which such a worm might include.

In any event a possible result is that unknown and unaccountable individuals and groups are in control of a large pool of Internet resources. When they choose to direct the power of those resources to any specific task they will be able to achieve spectacular effects. Tasks might include the disabling of a Web service, a network link or a whole network; but in the first instance it is likely that there will be some jostling for control of the resources obtained, resulting in attacks by controllers on each other. There will be collateral damage to the networks used and their customers, which is incidental to the task but may be quite disruptive. This pattern of abuse is well-established in the Internet.

It is then possible that an external task will be attempted, with some economic or political motive. Although the qualitative threat is not new, the scale on which power is likely to be available from this vulnerability is greater than in any previous incident and an attack could be very damaging. We think it would be possible to mount an attack at any time from now on.

Impact on the threat

The blocked ports are involved in the propagation of the exploit itself; but once a victim computer is taken over, its control channel may be quite different and any attack for which it is used may use different ports or protocols again. So blocking will slow down and somewhat delay the acquisition of control by attackers but cannot itself eliminate misuse of all the computers already compromised.

What can I do if my application requires the use of these ports?

If you are off campus and are having issues with the blocked ports, you must connect to Missouri State University using the Cisco VPN Client.