[Dshield] mail1.giac.net spamcop listed]

Al Reust areust at comcast.net
Tue Dec 16 06:16:00 GMT 2003

Hello All

SCRAPE, as I drag out the Soap Box

I partially agree, there is one thing that I do not agree on. I can see No 
Reason that NetBIOS over TCP/IP is ever Good! That allows a remote user to 
do silly thing like enumerate user accounts and password age etc.. That is 
why we block 135, 137~139, 445 and more at the Firewall.

A statement of what "services" are blocked and various ports associated for 
a User or a Small Business that are purchasing connectivity should be in 
terms of the service agreement. The User expects to be "automatically 
protected," they are upset when they are not. They thought they were 
automatically. One of the recent "complaints" are ISP's are not proactive 
and allow bad things through. Which side are we on?

* If All ISP's blocked just NetBIOS over TCP/IP the script kiddies would 
have to get more knowledgeable and creative. No More browsing the Network 
Neighborhood no matter which ISP.
* If All ISP's blocked most other ports to Dialup that could get a user in 
trouble a large number of "Us" or Virus Companies etc.. would not be needed.
* If All ISP's tailored require ports to what the Small Business needed we 
would not see various things happening are happening today.
* If all ISP's only accepted port 25 connections to the local mail server 
from a directly connected IP host, or other allowances via IP only then 
SPAM would not happen.
* If all ISP's did all of the Above we would not have seen 
Blaster/derivatives and MS would not have had to patch the OS or several 
other things that are allowed, because of the current state of the World/OS's.

The World could have gone on in that "ignorant state of bliss," as it was 
before people found out you really could do things with/across Just TCP/IP 

So an appropriate Statement would be, this is done in "Your Protection" and 
if You have requirements that require other network services we will be 
happy to discuss and accommodate. Our goal is to provide the Safest, most 
complete services that we can. Then discuss what comes to "our" level of 
expertise. "We" then mitigate what needs to happen. Everyone knows after 
that discussion.

So we are now stuck, with building Routers that can block large portions of 
the world and still let script kiddies attempt to break the local 
"administrator" password (NetBIOS derived) on someone else's computer 
across networks.. Then they plant things that make all our lives miserable. 
While "We" are still putting Pressure on ISP's to protect us.. Why?

Lets get "our" stories straight. If we offer a recommendation to block 
these ports and why then  accommodate the "risks" for small business, it 
all can be accommodated/mitigated. But the information has to be 
intelligently presented.

Otherwise we all need to get an AOL 9.0 Account (they are violating 
everything).. If you believe their advertisements it is now the Safest, 
most Sanitized Internet.. and You do not know what they doing... See 
precious threads.. LOL..

Scrape as the soap box goes back into the closet..



If You have a tirade then you are welcome to send me offline.  It any of 
this strikes sense in what we have discusses in the over last few months. 
Then discuss it.

At 06:02 PM 12/15/2003 -0500, you wrote:
>On Mon, 2003-12-15 at 16:36, David Hart wrote:
> >
> > Certainly not. I have most of Asia whacked.
>I totally agree. The way I explain it in SANS T2 is this:
>You have a number of internal systems that have NetBIOS/IP, SMB/IP, FTP,
>etc. etc. open. Since your company has chosen not to do business with
>those services over the Internet, they have also chosen not to assume
>the risk of exposing those ports to the Internet. Thus a firewall gets
>installed to block access to these ports.
>Blocking subnets is the same line of thought. If you are not doing
>business with countries in RIPE or APNIC blocks, why expose yourself to
>the risk of attack from those subnets?
> >  However, that's a decision
> > made for my small firm. Verizon (our ISP) has no right to to make those
> > assumptions for their customer base.
>Agreed. In fact I would extend that into the port realm as well. An ISP
>that blocks ICMP, NetBIOS, etc. _without_ a written agreement with their
>clients is doing them a dis-service. IMHO someone needs to get sued over
>it before things get better.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list