[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Ed Truitt ed.truitt at etee2k.net
Mon Jun 23 14:17:40 GMT 2003

----- Original Message ----- 
From: "Johannes Ullrich" <jullrich at euclidian.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Monday, June 23, 2003 6:40 AM
Subject: [Dshield] should ISPs close ports (was: Windows Messenger Popup
Spam on UDP Port 1026)
> I do not advocate blocking ports anywhere at the backbone. The filters
> should be applied as close to the end user as possible.

But, that is exactly where I WOULD block 135,  137-139, and 445 - at the
border, where the ISP connects to the backbone.  I still maintain that
NetBIOS is not appropriate for the Internet, it was not desinged with the
Internet in mind (I used to help admin an IBM LAN Server network, and
remember the hoops we had to jump through to connect 2 sites - forget about
connecting 3!), that it belongs on a LAN.

> My dream: An ISP that by default closes all ports, and has a little
> web based test to check your "security skillz". The higher your score,
> the more ports will open up ;-).

Hmmm, interesting idea... but, the questions would have to be relevant to
the ports you wanted open (for example, to open Port 25, you would have to
answer questions about how to close an open relay in your MTA of choice -
and if you replied "What's an MTA?" you would automatically fail.

> Current situation: One of my ISPs did setup my DSL router with default
> passwords (and kind of yelled at me as I called support once and they
> found I changed it). They never offered any advice (not even a simple
> web page) on how to use the firewall build into the device.

Mine told me NOT to use the built-in firewall.  I chose not to listen to
them, blocked the NetBIOS ports, and 5 minutes later the router quit passing
traffic.  I then realized why they didn't support the firewall in the
router - it was pure garbage.  So, I run my own.  IPTABLES scripts copy
between systems SO easily :-)

> (BTW: regarding the asbestos comment: I am actually pleased with the
> tone of the replies. While some of them didn't like my opinion, everyone
> stuck to technical arguments and didn't resort to simple "flaming".

I agree.  You're welcome.  Oh, BTW (shameless plug time):  any chance of
getting a SANS conference (live) in Houston later this year?

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

More information about the list mailing list