[Dshield] NetBIOS/IP was: mail1.giac.net spamcop listed]

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 16 18:49:04 GMT 2003

On Tue, 2003-12-16 at 01:16, Al Reust wrote:
> SCRAPE, as I drag out the Soap Box


> I partially agree, there is one thing that I do not agree on. I can see No 
> Reason that NetBIOS over TCP/IP is ever Good! That allows a remote user to 
> do silly thing like enumerate user accounts and password age etc.. That is 
> why we block 135, 137~139, 445 and more at the Firewall.

I think we can all agree that NetBIOS/IP is a crummy protocol per the
way MS implemented it. I'm not saying it can be used securely. 

What I am saying is that if you sign up for unfettered Internet access,
you expect to receive full Internet access. Good idea or bad, there are
companies that have built a business model off of passing NetBIOS/IP, MS
SQL, Echo-Request, etc. packets across the Internet. When an ISP makes
the decision to block access to these services, they are effectively
taking money out of the pockets of their customers.

Now, if the ISP has an SLA that states "You can't use NetBIOS/IP", and
they block it from day 1, that's a different story. My issue is with an
ISP making a decision that will effect their customers, without regard
to that customer's business model.

BTW, I speak from experience. I used to be CSO for an an ISP that had an
SLA describing what services were not permitted. We used to make sure
clients knew what they were signing before that inked for service.

> A statement of what "services" are blocked and various ports associated for 
> a User or a Small Business that are purchasing connectivity should be in 
> terms of the service agreement.

I totally agree that if they have done this, life is cool. The issue is
when the service is available, the customer is free to build a business
model on it, and then the ISP later decides to block it.

>  The User expects to be "automatically 
> protected," they are upset when they are not. They thought they were 
> automatically. One of the recent "complaints" are ISP's are not proactive 
> and allow bad things through. Which side are we on?

Its a user education thing. An ISPs job is to carry traffic. The OSs job
is to be resilient to attack. IMHO I think the problem is people are
sick of being ignored by MS on security issues, so they are just lashing
out at how ever they can. If my neighbor is blaring their stereo so loud
that no one in the neighborhood can hear themselves think, its not the
electric companies fault.

> * If All ISP's blocked just NetBIOS over TCP/IP the script kiddies would 
> have to get more knowledgeable and creative. No More browsing the Network 
> Neighborhood no matter which ISP.

My issue is its a slipper slope. Where do you stop? Certainly you have
to add Telnet and FTP to that list because they are clear text
protocols. Finger allows you to enumerate info just like NetBIOS, so
let's add that one in as well. Since viruses are propagated via SMTP,
that has to go. There are also many HTTP based attacks so let's nuke
that port. Pop-ups on 1026-1035? Let's block those as well. The list can
go on and on and on...

> * If all ISP's only accepted port 25 connections to the local mail server 
> from a directly connected IP host, or other allowances via IP only then 
> SPAM would not happen.

So AT&T, MCI and Sprint should now force all their clients to go in and
out through their mail servers???? I give that model an hour before it
falls apart. ;-)

> * If all ISP's did all of the Above we would not have seen 
> Blaster/derivatives and MS would not have had to patch the OS or several 
> other things that are allowed, because of the current state of the World/OS's.

Yup, poor Microsoft. All they did was ignore the many people that for
years now have been screaming that they have an insecure model and need
to change it. This is _exactly_ what I was saying above. People have
become so accepting of MS OSs being insecure, that fixing the problems
now becomes the responsibility of someone else, like Internet service

> The World could have gone on in that "ignorant state of bliss," as it was 
> before people found out you really could do things with/across Just TCP/IP 
> connections.

errr, no. I know that is the _MS_ way of looking at things, but reality
looks a bit different. For example, MS SQL is blocked at most corporate
perimeters but even still it was a problem. MS blocks it at their border
and still had their network taken out by it. Blocking ports is _not_ a
cure all. Its a layer in the defense and at best helps to slow an
infection. You have to actually fix the problem to really be safe.


More information about the list mailing list