Port filters are not perfect. In particular, the limited
filters discussed here leave
plenty of room
for other vulnerabilities. However, these ports account for a large
percentage of
malicious activity. While a simple fix using port filters will not work for
some problems,
filtering ports 135, 137, 139, and 445 will
free resources to deal with the
more difficult
issues, such as attacks against web servers or mail servers that cannot
be
blocked by a
simple firewall. An example is implementing and monitoring network
intrusion
detection systems (NIDS). NIDS can be used to identify customers
infected
with a wide
range of malware. ISPs will be able to notify customers identified by
the
NIDS and assist
customers in cleaning up infected systems. This is only possible if
the
number of
infected customers is small. Blocking port 135,
137, 139 and 445 will reduce
the number of
infected customers and may be sufficient to allow notification of
the
remaining
customers.
3http://www.iana.org/assignments/port-numbers
4http://www.honeynet.org/papers/enemy3/
5http://www.auscert.org.au/render.html?it=2448&cid=1926
6http://isc.sans.org/diary.html?date=2003-08-11