[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Stephane Grobety security at admin.fulgan.com
Mon Jun 23 16:15:46 GMT 2003


MT> The problem with all this stuff is the definition of the border.
MT> The border, whether its at the co-lo or a commercial IP, is the
MT> public IP(s) that is/are assigned by the ISP. The border is not
MT> the ISPs gateway. As soon as an ISP starts to filter any ports at
MT> their gateway, they no longer offer Internet access to any of the
MT> filtered IPs, and essentially nullify all of their contracts with
MT> their IP subscribers.

Uh ?? What are you talking about ?? You seem to be mixing the problem
of defining a border and the problem of filtering a port to a selected
range of users.

First, filtering port is in no way a failure to provide access to
Internet. If your contract doesn't specfically states that you have a
full, infiltered access to all of the public IP range, then it's still
valid. In fact, any contract that have such a close would be invalid
since you'll be filtered at the borders of other networks.

Second, defining borders might be non trivial (depending on your
definition of "broder" and the topology of your network), but setting
up such "protective port filtering" is, in effect, very easy: you
simply have to identify the range of IPs that must be protected
(should be very easy) and apply the necessary ACLs on the POPs
routers.

MT> If ISPs want to filter at their gateways, they need to make this
MT> absolutely clear to all of their clients, and they should not be
MT> allowed to market "Internet Access".

Why would they ? They are offering you a service that is defined in a
document called "Service agreement". If you haven't read it before you
signed for it, then the fault is your's. In any case, I don't think
you'll ever find an ISP that is foolish enough to offer you what you
are apparently asking for: a written contract where they guarantee you
a full, unfiltered access to the whole public IP range.
 
MT> Filtering a single port, or a group of them, to permanently
MT> address a problem is still just a workaround.

Now, that's partially true. The problem is: until IPv6 is in place or
until everyone uses IPSec for everyting, it's the only reasonable way
to solve the problem at hand.

MT> Its like building a door in a desert without a wall. Someone can
MT> easily go around it.

Uh ?? Filtering a well known port to prevent it to be abused is a very
effective way to solve a category of problem. In our case, filtering
NetBIOS ports and several common RPC ports (The UDP 1026 that started
the thread) will, in effect, prevent the abuse. It doesn't prevent
NetBIOS traffic from being tunnelled, explicitly, by another channel
(VPN) but it prevent it to be used without some specific arrangement
between both interested parties (which is just fine).

MT> That being said, ISPs that filter 1 port, will naturally filter
MT> more over time, making the Internet a really frustrating place to
MT> work & play.

What are you basing this affirmation on ? You really sound as if you
think that your ISP has any advantage at annoying you. They don't.
What they should be able to do, however, is protect Mr John "Clueless"
Doe against the basic problems linked with a connection to Internet.

MT> Every port, TCP, UDP, whatever, is used for valid 
MT> purposes.

This statement makes no sense. On my internal network, the NetBIOS
traffic is perfectly legal. Yet, it isn't allowed to cross the borders
of my organization without being encapsulated into a VPN layer. That
is basic security. Now, this is not the same situation as an ISP but
it's very similar in the sense that some services using TCP/IP as a
transport mechanism and using a mechanism used as "well known port"
should be allowed on the local network and should be disallowed on a
wider scale because they are dangerous to the most fragile population
of Internet: the non computer savvy users.

MT> None of them should be discarded because of a single vendor or
MT> service causing a pile of problems (cough MS).

Wrong again. You might kick and scream for "a perfect world" where
every protocol is fully described by a RFC and where it's securely
supported by many different vendors on machines that are setup by
users that know what they are doing but it won't change the reality:
90+% of the machines connected to the net are variations of Windows
and a good 80 to 90% of the users behind these machines have never
HEARD about "UDP".

Sorry, but we aren't living in the

MT> IMO, the suck of worms & spam does not outweigh the kickass of
MT> freedom.

What kind of statement is that ? You want to make "freedom" equal
"unrestrained liberties". It ain't so but in an ideal world populated
by perfect people. On this earth, we still need rules, laws and
way to enforce them.


MT> ::ducks and runs for cover:: 

*grenade!!!*

-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list