[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Dietmar Goldbeck goldbeck at e-trend.de
Mon Jun 23 16:50:04 GMT 2003

On Mon, Jun 23, 2003 at 07:40:11AM -0400, Johannes Ullrich wrote:
> I do not advocate blocking ports anywhere at the backbone. The filters
> should be applied as close to the end user as possible. 

I don't think this is technically feasible.  Business Users,
Professional Users and users with no security knowledge often use the
same dial-in and DSL ports.  Larger dial-in equipment is often
directly connected to backbone/distribution routers.

You have to maintain very complex access lists on either
the dial-in equipment or the last router in front of it.

I doubt anyone would like to maintain those lists. And router performance
would suffer too. 

> My dream: An ISP that by default closes all ports, and has a little
> web based test to check your "security skillz". The higher your score,
> the more ports will open up ;-).

Here in germany the same account can be used for DSL, ISDN and analog
dial-in. Your dream would mean to have the access lists roam
throughout the country and even between the different equipment for
dial-in and DSL.

> Current situation: One of my ISPs did setup my DSL router with default
> passwords (and kind of yelled at me as I called support once and they
> found I changed it). They never offered any advice (not even a simple
> web page) on how to use the firewall build into the device.
I doubt it would get better, when your dream gets into production, i
would expect the same guys maintaining your router to work on access-lists:

- monday i cannot use mail (typo in the access list)
- tuesday dns broke down   (UDP is connectionless, very malicious protocol)
- wednesday http is resticted to tcp/80. (https and all other ports 
            closed to improve security)
- thursday i cannot read my mail, thousands of messages come in.
            (most technical list are filled with flamewars on ISPs :-))
- friday Backbone of my ISP broken. They filtered telnet and
         locked themselve out of some important router several hundres
         miles away.

> (BTW: regarding the asbestos comment: I am actually pleased with the
> tone of the replies. While some of them didn't like my opinion, everyone
> stuck to technical arguments and didn't resort to simple "flaming".

OTOH there are ISPs today doing filtering and violating RFCs.
There are massive problems with PMTUD, caused by ICMP filtering.
And an awful lot of firewalls still drop tcp syn packets with ecn set.

If you get a lot of complaints from people 
unable to visit www.dshield.org. How do you debug these problems?

Don't tell me traceroute, thats filtered ...

Actually, filtering of incoming syn packets would saved several
users data. I really _like_ your idea, i don't think it is feasible and
inexpensive on a larger scale.


 Alles Gute / best wishes  
     Dietmar Goldbeck         E-Mail: dietmar.goldbeck at acm.org
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?  Gandhi: I think it would be a good idea.

More information about the list mailing list