PlusNet are watching :)

Hi folks,
Just thought I'd share something that I didn't know happened on PlusNet,
because I thought it was clever...

A friend has just got broadband with a 'silly' supplier (AOL - why?!) and
asked me if I could see if he'd got his router/PC locked down properly. As
part of my probing, I tried to initiate some traffic on port 135...

My connection was immediately suspended, and my next HTTP request was
intercepted, and replaced by a page from PlusNet advising me of a possible
virus problem. I wonder how many other ISP's have taken such novel steps
against all these port135 type things? AFAIK, many ISPs just block traffic
on that port so I was pleased that PlusNet went one further and actually
told me what they'd done. Clever.

BTW, my connection resumed automatically after 60 seconds in a 'stealthed'
mode with ICMP packets dropped on my behalf by PlusNet. A quick dropping and
reconnecting of my ADSL line brought things back to normal.

Cheers,
Dan.

On Sun, 25 Jan 2004 10:38:23 -0000, "Dan Wood"
<(E-Mail Removed)> wrote:

>part of my probing, I tried to initiate some traffic on port 135...
>
>My connection was immediately suspended, and my next HTTP request was
>intercepted, and replaced by a page from PlusNet advising me of a possible
>virus problem. I wonder how many other ISP's have taken such novel steps
>against all these port135 type things? AFAIK, many ISPs just block traffic
>on that port so I was pleased that PlusNet went one further and actually
>told me what they'd done. Clever.

They are probably fed up with dealing with all the complaints.
Just a matter of setting up a intrustion detection system and linking
it up with the routers.

It'd be good if Pipex could do the same.

Hi Dan,

I expect PlusNet were looking for signs of PC's infected with the
Natchi/Welcha type virus/worm which have cause a lot of headaches for ISP's.

The excess traffic these type of Worm's/Viruses cause can be a problem, when
these critters were more widespread the traffic they generated did cause
problems for some ISP's.

Kind Regards

Zed
--

"Dan Wood" <(E-Mail Removed)> wrote in message
news:IYMQb.27513$(E-Mail Removed)...
> Hi folks,
> Just thought I'd share something that I didn't know happened on PlusNet,
> because I thought it was clever...
>
> A friend has just got broadband with a 'silly' supplier (AOL - why?!) and
> asked me if I could see if he'd got his router/PC locked down properly. As
> part of my probing, I tried to initiate some traffic on port 135...
>
> My connection was immediately suspended, and my next HTTP request was
> intercepted, and replaced by a page from PlusNet advising me of a possible
> virus problem. I wonder how many other ISP's have taken such novel steps
> against all these port135 type things? AFAIK, many ISPs just block traffic
> on that port so I was pleased that PlusNet went one further and actually
> told me what they'd done. Clever.
>
> BTW, my connection resumed automatically after 60 seconds in a 'stealthed'
> mode with ICMP packets dropped on my behalf by PlusNet. A quick dropping
and
> reconnecting of my ADSL line brought things back to normal.
>
> Cheers,
> Dan.
>
>

> My connection was immediately suspended, and my next HTTP request was
> intercepted, and replaced by a page from PlusNet advising me of a possible
> virus problem.

<snip>

Nice to see someone is actually on the ball !

<mental note> start promoting them a little more heavily </mental note>

--
Please add "[newsgroup]" in the subject of any personal replies via email
* old email address "btiruseless" abandoned due to worm-generated spam *
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

Dan Wood wrote:
> Hi folks,
> Just thought I'd share something that I didn't know happened on
> PlusNet, because I thought it was clever...
>
> A friend has just got broadband with a 'silly' supplier (AOL - why?!)
> and asked me if I could see if he'd got his router/PC locked down
> properly. As part of my probing, I tried to initiate some traffic on
> port 135...
>
> My connection was immediately suspended, and my next HTTP request was
> intercepted, and replaced by a page from PlusNet advising me of a
> possible virus problem. I wonder how many other ISP's have taken such
> novel steps against all these port135 type things? AFAIK, many ISPs
> just block traffic on that port so I was pleased that PlusNet went
> one further and actually told me what they'd done. Clever.
>
> BTW, my connection resumed automatically after 60 seconds in a
> 'stealthed' mode with ICMP packets dropped on my behalf by PlusNet. A
> quick dropping and reconnecting of my ADSL line brought things back
> to normal.


My brother is on NTL cable and when one of the big virus were around last
year, he was unable to connect properly and was forwarded to a page to
download a patch from MS. It was a pain for him as he had already
downloaded the patch. So he ended up with 2 days down service until he
could convince NTL he had the patch. It was a great idea to secure the
service, but it was very badly implemented. More isps should do it to
secure the service, but obviously do it so it works properly.

> They are probably fed up with dealing with all the complaints.
> Just a matter of setting up a intrustion detection system and linking
> it up with the routers.
>
> It'd be good if Pipex could do the same.

Just to clear up how we do this, the redbacks (that terminate our ADSL
connections) look for any traffic on port 135. If anything is picked up you
are moved into a restricted connection path which blocks ICMP traffic and
the next http request you make re-directs you to the warning page.

If you disconnect and reconnect you are put back into the normal connection
pool, and providing you have fixed the problem you will not be blocked
again. We have also blocked port 135 and 445 at our border routers (so
people from other ISP's cannot infect people on our network).

The measures were introduced when we worked out exactly how much bandwidth
was being used up by the worm (a couple of percent - which is plenty when
you consider thats for 10x155Mb pipes). I would guess that most of the
larger ISP's (or those that use their own termination equipment anyway)
could implement this if they wanted.

Glad to see that you are impressed

Regards,

+ ----
| Josh Berry ....................Unmetered & ADSL solutions
| Technical Support........................for Home & Business
| PlusNet Technologies Ltd............@ http://www.plus.net
+ ---- My Referrals - It pays to recommend PlusNet ---+

Josh Berry writes:
> Just to clear up how we do this, the redbacks (that terminate our ADSL
> connections) look for any traffic on port 135. If anything is picked up you
> are moved into a restricted connection path which blocks ICMP traffic and
> the next http request you make re-directs you to the warning page.
>
> If you disconnect and reconnect you are put back into the normal connection
> pool, and providing you have fixed the problem you will not be blocked
> again. We have also blocked port 135 and 445 at our border routers (so
> people from other ISP's cannot infect people on our network).

Hmm. Should someons on plus.net be running an ftp server or any server
that can make outbound connections to client-specified ports, this has a
potential to be abused if someone really didn't like someone who
happened to be using plus.net.

Unlikely, but I thought I'd chip in anyway

Josh Berry wrote:

>>They are probably fed up with dealing with all the complaints.
>>Just a matter of setting up a intrustion detection system and linking
>>it up with the routers.
>>
>>It'd be good if Pipex could do the same.
>
>
> Just to clear up how we do this, the redbacks (that terminate our ADSL
> connections) look for any traffic on port 135. If anything is picked up you
> are moved into a restricted connection path which blocks ICMP traffic and
> the next http request you make re-directs you to the warning page.
>
> If you disconnect and reconnect you are put back into the normal connection
> pool, and providing you have fixed the problem you will not be blocked
> again. We have also blocked port 135 and 445 at our border routers (so
> people from other ISP's cannot infect people on our network).
>
> The measures were introduced when we worked out exactly how much bandwidth
> was being used up by the worm (a couple of percent - which is plenty when
> you consider thats for 10x155Mb pipes). I would guess that most of the
> larger ISP's (or those that use their own termination equipment anyway)
> could implement this if they wanted.
>
> Glad to see that you are impressed
>
> Regards,
>
> + ----
> | Josh Berry ....................Unmetered & ADSL solutions
> | Technical Support........................for Home & Business
> | PlusNet Technologies Ltd............@ http://www.plus.net
> + ---- My Referrals - It pays to recommend PlusNet ---+
>
>

I'm not 100% convinced that it does not report false alarms. I have
been redirected to the virus page a couple of times recently, and my
setup is 100% secure behinf a NAT that blocks the offending ports. Or
it may be something in the Draytek router firmware that is triggering
this...

"Josh Berry" <(E-Mail Removed)> wrote in message
newswPQb.18919$(E-Mail Removed)...
> > They are probably fed up with dealing with all the complaints.
> > Just a matter of setting up a intrustion detection system and linking
> > it up with the routers.
> >
> > It'd be good if Pipex could do the same.
>
> Just to clear up how we do this, the redbacks (that terminate our ADSL
> connections) look for any traffic on port 135. If anything is picked up
you
> are moved into a restricted connection path which blocks ICMP traffic and
> the next http request you make re-directs you to the warning page.
>
> If you disconnect and reconnect you are put back into the normal
connection
> pool, and providing you have fixed the problem you will not be blocked
> again. We have also blocked port 135 and 445 at our border routers (so
> people from other ISP's cannot infect people on our network).
>
> The measures were introduced when we worked out exactly how much bandwidth
> was being used up by the worm (a couple of percent - which is plenty when
> you consider thats for 10x155Mb pipes). I would guess that most of the
> larger ISP's (or those that use their own termination equipment anyway)
> could implement this if they wanted.
>
> Glad to see that you are impressed
>
> Regards,
>
> + ----
> | Josh Berry ....................Unmetered & ADSL solutions
> | Technical Support........................for Home & Business
> | PlusNet Technologies Ltd............@ http://www.plus.net
> + ---- My Referrals - It pays to recommend PlusNet ---+
>
It would be nice if PlusNet answered sales support queries as quickly as
they responded to ng posts!

In article <bv0qm6$lav$(E-Mail Removed)>, mick@city-
slickerNOSPAM.co.uk says...
>
> "Josh Berry" <(E-Mail Removed)> wrote in message
> newswPQb.18919$(E-Mail Removed)...
> > > They are probably fed up with dealing with all the complaints.
> > > Just a matter of setting up a intrustion detection system and linking
> > > it up with the routers.
> > >
> > > It'd be good if Pipex could do the same.
> >
> > Just to clear up how we do this,

[snip]

> >
> It would be nice if PlusNet answered sales support queries as quickly as
> they responded to ng posts!

You must have had a bad experience. They've always responded to mine within
hours, sometimes minutes.

Pete.

--
NOTE! Email address is spamtrapped. Any email will be bounced to you
Remove the news and underscore from my address to reply by mail