Xtra has for the first time begun blocking an internet traffic channel that is frequently used by worms, viruses and other malware.
The internet provider is temporarily blocking all network traffic to port 135 of PCs, used by the Windows remote procedure call (RPC) service. Port 135 is targeted by the Blaster worm that infected hundreds of thousands of Windows computers last month. Some commentators said as many as a million computers could have been infected in 48 hours.
The RPC service is used mainly by Windows machines sharing files over networks. Although it is considered best practice to block incoming access to port 135 at firewalls, users without firewalls or those who get a worm through another means — such as an infected laptop placed on an internal network — are still vulnerable.
Xtra IT manager Neil Forster says the company acted to stop Blaster from spreading, and to reduce the worm’s impact on the networks of corporate and home users.
Forster says Xtra has had no negative feedback from its customers, and is allowing access for users who need it. “In a number of instances we have created a pinhole [an individual connection] for 135,” he says.
Although Forster does believe some customers need to beef up their firewall systems, he agrees that the excess random traffic generated by malware such as Blaster will affect even the most secure networks — including those not running Windows — by bombarding them with unwanted network packets. Blocking that traffic from the Xtra network should alleviate that problem.
It’s the first time Xtra has resorted to port blocking. “I think it’s really because of the nature of the worms that are being created now,” Forster says. “It’s really looking at the impact that the virus or worm has.”
Although blocking the port is a temporary measure, Forster says Blaster still has a noticeable presence on the internet.
“We have noticed an increase in traffic and there seems to be some anecdotal evidence that a number of home users turned their machines off.”
The worm’s presence on the network is felt again when users switch their computers back on, he says.
“There is still a lot of traffic out there that suggests users are still infected.”
Packet filtering is a controversial topic among ISPs. TelstraClear blocked outgoing international traffic on port 135, but doesn’t believe it should block general use of a port, says solution design and support team manager Peter Ambrose.
“We have to be very careful as a carrier what we block and what we don’t,” he says. “We’re a network provider, we’re not a network administrator. If people want to use that port then they should be allowed to do so.”
Ambrose accepts some customers had reduced internet access because of traffic generated by the Blaster worm, but says that’s not a sufficient reason to restrict port 135. “I think the customers that are legitimately using ports that could be blocked would disagree,” he says.
Xtra’s blocking of Blaster traffic may also have helped its network withstand the effects of the worm. Forster says Xtra had no problems dealing with the extra traffic, but Ambrose says some of TelstraClear’s routers struggled.
“We had an impact in sheer volume of traffic,” he says. “We’ve doubled the memory inside the routers that needed it.
“At one stage we had upwards of 30,000 packets a second trying to get into the country.”