Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Cyber Security Awareness Month - Day 1 - Port 445 - SMB over TCP - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 1 - Port 445 - SMB over TCP

Port 445 provides SMB over TCP.  From Microsoft  "Windows supports file and printer sharing traffic by using the Server Message Block (SMB) protocol directly hosted on TCP. This differs from earlier operating systems, in which SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport."

If not at the top of the list, port 445 is always somewhere in the Top 10 list generated from Dshield data for targets, sources and reports.  Just a quick look at the activity graph shows a huge number of systems that are scanning from and being scanned on 445.  This has become much of the background noise on the Internet.

And it's no wonder.  How many worms and bots can you think of off the top of your head that use 445 to scan or exploit other systems?

If you're reading this diary, then hopefully you know to make sure port 445 is blocked at your firewall.  If, for some reason you didn't know to do this, stop what you're doing and block it now.  I'll wait.  :)

Blocking 445 at the firewall is relatively easy and solves many problems.  The real issue with 445 internal.

445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally.

So what can you do to protect yourself?  If you have a good way to limit internal traffic on port 445 in your network, send us a note or leave a comment and I'll post interesting notes as they come in.

Tracy sent a note mentioning one of my favorite was to mitigate exposure due to 445 being open internally, HIPS.

He writes,

There are several great tools out there that you can use, my preference is a Host based IPS (HIPS).  Depending on the maker of the product you have a wide array of options that you can use to keep the system safe.  Some HIPS programs provide the buffer overflow protection for processes that are standard in MS Windows, they can detect scans of the machine and block all traffic from a host for a period of time.  Adding in the fact that they can also get signature updates and create custom signatures, this product gives you the best LAN protection with maintaining a well balanced CIA pyramid.

Well said.  Thanks Tracy!
   

 

Christopher Carboni - Handler On Duty

Chris

140 Posts
Thanks for your report on port 445, but
don't forget port 139. If you block port 445, and 139 is still open, you still have problems.

As for blocking port 445/139, its used for way too much internally for MS AD members. MAYBE block 139 to block older worms while leaving 445 open.

If you have 'devices' (medical devices, scada devices, HMI devices) that are not part of the AD network, block those using ACL's and VLANS as long as they are not needed.

Always remember 'least privileged' same concept.
Block everything, then open ports up as needed and according to your written security and user policy.

But who are we kidding when we can't even get people to block port 445/139 on the internet :-(


Anonymous

Posts
It's interesting to review my firewall logs and see TCP 445 hit me from the Internet. It tells me those companies have an "allow all outbound" rule. If they're business partners or vendors I know they are an elevated risk.
Anonymous

Posts
@RJ: I find that "outbound blocking" is really not given all the importance it should get. Even the other sysadmins that are working with me don't always completely grasp the importance of outbound blocking. To help them understand, I always give them as an example a zombie that tries to communicate back to the C&C server, and that usually helps them understand that inbound blocking is not the only thing that matters... but they sometimes tend to forget it again after a while. That tells us that outbound blocking is less intuitive than inbound blocking, and as security workers, we need to work on changing that perception.
Patk7

9 Posts Posts
If a home security power-user/hobbyist wanted to secure their router/network by blocking all outbound traffic (as suggested here), does anyone have any suggestions on which outbound ports to ALLOW, so as to not interfere with general internet use (e-mail, web browsing, etc.)?
Anonymous

Posts
To be completely honest, only organizations that rely on their intellectual property need to pay close attention to outbound restrictions. I have worked for one that went so far as to embed tracking software which ran in the NT kernel address space. If you are not a IP/security company there is practically no reason to block any outbound port. If you're concerned about a zombie spreading spam, the major ISP's already have that covered. Any company with a competent IT staff will already know what to do to prevent these little annoyances coming from unaware infected networks. Only thing that comes to mind is DNS amplification attacks which could be a problem. To get infected it's going to be an inbound threat, not an outbound. That's why very few care about locking down outbound rules. It's more of an annoyance and causes employee productivity downtime for little to no reason at all.

Travis
travisrunyard.com
Anonymous

Posts
Quick question though.... Will Blocking Port 445 at Router suffice or does every system on LAN require it to be blocked..??? Thanks..!!
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!