Recent Attacks & Attackers data
shows that attackers are scanning for port 6101/tcp -- a service which
was not blocked at the campus boundary. We assume the scans are
malicious and our best guess is the attackers are trying to find the
sometimes vulnerable Veritas Backup service. See SANS ISC Diary of
12-Jan-2005.
We are not aware of a any Veritas Backup services on campus and are
not aware of any compromises. However, we are aware of compromises
involving other backup services.
Given that there is no requirement to expose the service to the
world and the attackers are showing a keen interest in finding these
servers we've implemented an alarm to notify attackers (so the
attacker's ISP can invoke their acceptable use agreement) and we've
initiated discussions to block this port at the campus boundary.
A consensus has been found that we ought to implement a strong
firewall that blocks all services with exceptions for only those
services that are required (see the work of the Firewall Working Group). Work
is underway to find the appropriate technologies.
See Also
Postscript
A proposal to block this port and others was circulated to CSAG and other interested groups on July 27/2005. The
proposal was discussed and approved at the CSAG meeting of August 3/2005.
Ports ports 2100/tcp (Oracle FTP), 6101/tcp (Veritas Backup) and 31337/tcp (a worm/virus backdoor) were blocked at the campus boundary with no exceptions requested on August 10, 2005.
Automated alarms notifying abuse@attacker-site were disable August 24, 2005.
Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070
Contact Us |
Give Us Feedback |
Privacy Statement