[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Johannes Ullrich jullrich at euclidian.com
Mon Jun 23 11:40:54 GMT 2003

> ok, it's Monday I'll throw in another 0,02?
> knout, petard - what next ??

ok. having gone through one set of asbestos underwear while reading the
comments to my first post, I cant help but to come back to ask for more

I think one has to distinguish between what I call "home users" and
"professional users". A home user essentially is identified by having
no professional sysadmin at the side to maintain systems. A lot of
small businesses fall in this category as well. A professional is a
company (or home user) who knows about system configuration and basic
security policies.

It was mentioned that blocking certain ports will interfer with running
some common applications. The most problematic is probably SMTP. One
argument (from memory, not copy/pasted) was that an ISP should rather
get a well working abuse department vs. taking the cheap way out and
block ports.

In my opinion, this is a good argument, if you are willing to pay for
the abuse department. It is quite expensive to run a decent abuse
department (hire people that can read firewall logs, have them contact
end users ... )

So if by blocking a few ports (I only advocate 135-139 and 445 at this
point), an ISP can eliminate 80% of the "abuse" at a reasonable small
cost. The abuse department will now be able to deal with the remainder
on a per user basis. ISPs already offer "business accounts" which are
usually not filtered or even provide some customized filtering to meet
your needs. Sure, they cost more, but somehow an ISP has to find a way
to pay for all the extra service.

I do not advocate blocking ports anywhere at the backbone. The filters
should be applied as close to the end user as possible. 

My dream: An ISP that by default closes all ports, and has a little
web based test to check your "security skillz". The higher your score,
the more ports will open up ;-).

Current situation: One of my ISPs did setup my DSL router with default
passwords (and kind of yelled at me as I called support once and they
found I changed it). They never offered any advice (not even a simple
web page) on how to use the firewall build into the device.

(BTW: regarding the asbestos comment: I am actually pleased with the
tone of the replies. While some of them didn't like my opinion, everyone
stuck to technical arguments and didn't resort to simple "flaming".

More information about the list mailing list