ITaP: Port Block Troubleshooting

ITaP Administered Subnets and Purdue Campus
Networks

Port Block Troubleshooting Guide

Overview
Beginning May 12th, the ITaP will begin blocking direct access to MS-RPC and NetBIOS
network services from off campus on the following subnets:

128.210.0.0	128.210.17.0	128.210.40.0	128.210.105.0	128.210.191.0
128.210.1.0	128.210.22.0	128.210.47.0	128.210.106.0	128.210.192.0
128.210.5.0	128.210.25.0	128.210.59.0	128.210.107.0	128.210.193.0
128.210.6.0	128.210.26.0	128.210.62.0	128.210.112.0	128.210.239.0
128.210.7.0	128.210.27.0	128.210.63.0	128.210.166.0	128.210.242.0
128.210.8.0	128.210.28.0	128.210.66.0	128.210.167.0	128.210.250.0
128.210.9.0	128.210.29.0	128.210.81.0	128.210.176.0	128.210.251.0
128.210.10.0	128.210.35.0	128.210.86.0	128.210.177.0	128.210.254.0
128.210.11.0	128.210.36.0	128.210.90.0	128.210.181.0
128.210.12.0	128.210.37.0	128.210.91.0	128.210.182.0
128.210.13.0	128.210.38.0	128.210.92.0	128.210.186.0
128.210.15.0	128.210.39.0	128.210.104.0	128.210.189.0

Subnets not listed above will have the same border block implemented on May 26th.

ITaP implemented this change in order to stop a range of repeated attacks on ITaP
computing resources. As a result, legitimate off- campus users will need to use the
Purdue VPN service to access these ITaP subnets and services.

Technical Overview
NetBIOS is a network protocol used for communication between Microsoft Windows and
Samba hosts using SMB, or Server Message Block format. All of the remote shares such
as the 'H Drive', home directory, and some networked printers use this protocol to
communicate. In order to prevent cons tant scanning and attempted compromise of ITaP
machines through externally accessible NetBIOS services, and to prevent the large traffic
burden that these scans and attacks can cause, ITaP Telecommunications will block
access to the following network ports from the Internet. The following table describes
the ports to be blocked.

Port number	Protocol	Description
135, 593	TCP and UDP	Microsoft RPC
137, 138, 139	TCP and UDP	Microsoft NetBIOS
445	TCP and UDP	Microsoft Data Service

ITaP Administered Subnets and Purdue Campus
Networks
Port Block Troubleshooting Guide

ITaP users will remain able to access shares on the campus network. Off-campus users will be able to access on-campus services via the Purdue VPN service. Blocking the ports listed above will prevent off-campus entities from accessing services via NetBIOS or Microsoft RPC on ITaP machines if the VPN service is not used.

Trouble Identification and Resolution
Due to the port block, off-campus users will need to change the way the access certain services by using the VPN service first. If the VPN is not used first, a user’s computer may experience the following symptoms:

Browsing the network neighborhood causes the window to become nonresponsive
Attempts to map a network drive will timeout and fail
Printing to a network printer will timeout and fail
Failure to access email on Exchange servers via Outlook (For more information see http://www.itap.purdue.edu/email/exchange/qex_exchange2003_connect.cfm)
NetBIOS name lookups for printers or computers will timeout and fail

If an off-campus user experiences these conditions when trying to access an ITaP machine on the subnets listed above, the problem can be solved by having them setup and use the Purdue VPN service on the machine trying to access these resources. Instructions for setting up the VPN service can be found at http://www.itap.purdue.edu/telecom/vpn.

Users with further questions about this change and its effects may contact itapsecurityhelp@ purdue.edu with questions.

Additional Tools
Purdue’s Computer Science department has created a split-tunneling VPN connection
tool which allows traffic meant for Purdue’s subnets to be routed to Purdue while traffic
meant for non-Purdue hosts will be routed through your normal connection. This
software and associated support documents can be found at:

http://www2.cs.purdue.edu/help/vpn/