[Dshield] should ISPs close ports (was: Windows Messenger Popup Spam on UDP Port 1026)

Mark Tombaugh mtombaugh at alliedcc.com
Tue Jun 24 00:59:16 GMT 2003


> Uh ?? What are you talking about ?? You seem to be mixing the problem
> of defining a border and the problem of filtering a port to a selected
> range of users.

Calm down, let me explain. If you have any questions, feel free to ask, use as 
many question marks as it takes.

Take a look at the conversation between Ed & Johannes:

Johannes: "I do not advocate blocking ports anywhere at the backbone. The 
filters should be applied as close to the end user as possible."

Ed: "But, that is exactly where I WOULD block 135,  137-139, and 445 - at the
border, where the ISP connects to the backbone."

The "border" is being used in Ed's posts, as the point where filtering should 
occur. He defines the border at the top, at the ISPs pipe. I define it at the 
bottom, the IP, or range, that the ISP assigns to the customer. Johannes is 
objective enough not to offer a precise definition, but clearly disagrees 
with me, and somewhat agrees with Ed. 

> First, filtering port is in no way a failure to provide access to
> Internet. If your contract doesn't specfically states that you have a
> full, infiltered access to all of the public IP range, then it's still
> valid. In fact, any contract that have such a close would be invalid
> since you'll be filtered at the borders of other networks.

Filtering ports is in every way failure to provide access to the Internet, 
thats what filtering ports does, denies access. Internet access is not 1 
single port from 1 single protocol, its all of them together. Not all of them 
minus one or two, ALL of them.

> Second, defining borders might be non trivial (depending on your
> definition of "broder" and the topology of your network), but setting
> up such "protective port filtering" is, in effect, very easy: you
> simply have to identify the range of IPs that must be protected
> (should be very easy) and apply the necessary ACLs on the POPs
> routers.

I thought you didn't see the corelation between defining  the border and 
filtering ports, now you're explaining it.. and I even agree, its really easy 
to filter the ports. That doesn't make it right.

> MT> If ISPs want to filter at their gateways, they need to make this
> MT> absolutely clear to all of their clients, and they should not be
> MT> allowed to market "Internet Access".
>
> Why would they ? They are offering you a service that is defined in a
> document called "Service agreement". If you haven't read it before you
> signed for it, then the fault is your's. In any case, I don't think
> you'll ever find an ISP that is foolish enough to offer you what you
> are apparently asking for: a written contract where they guarantee you
> a full, unfiltered access to the whole public IP range.

> MT> Filtering a single port, or a group of them, to permanently
> MT> address a problem is still just a workaround.
>
> Now, that's partially true. The problem is: until IPv6 is in place or
> until everyone uses IPSec for everyting, it's the only reasonable way
> to solve the problem at hand.

I disagree. I think a reasonable way to solve the problem at hand is to 
address it honestly. The problem at hand has nothing to do with TCP/IP & the 
structure of the Internet, or the way ISPs offer their service. Yet, all of 
the solutions being offered here, other than Joe's instructions on how to 
turn off Windows Messenger, involve making changes to these things. Why isn't 
the Windows Messenger service being addressed as the source of the problem, 
and the ultimate solution? The same with NetBIOS. I'd like to think that 
accountability is still within reason. That being said, users of systems that 
are not affected by this problem should in no way be adversely affected by 
its solution.

> MT> Its like building a door in a desert without a wall. Someone can
> MT> easily go around it.
>
> Uh ?? Filtering a well known port to prevent it to be abused is a very
> effective way to solve a category of problem. In our case, filtering
> NetBIOS ports and several common RPC ports (The UDP 1026 that started
> the thread) will, in effect, prevent the abuse. It doesn't prevent
> NetBIOS traffic from being tunnelled, explicitly, by another channel
> (VPN) but it prevent it to be used without some specific arrangement
> between both interested parties (which is just fine).

Bingo. "It doesn't prevent NetBIOS traffic from..." you said it. When both 
interested parties are a virus and an infected host your filtering goes out 
the window.

> MT> That being said, ISPs that filter 1 port, will naturally filter
> MT> more over time, making the Internet a really frustrating place to
> MT> work & play.
>
> What are you basing this affirmation on ? You really sound as if you
> think that your ISP has any advantage at annoying you. They don't.
> What they should be able to do, however, is protect Mr John "Clueless"
> Doe against the basic problems linked with a connection to Internet.

I have so much faith in John "Clueless" Doe. I wish more people did. Mr 
Clueless didn't create Code Red & Nimbda, Mr Cluefull did., when he released 
IIS 5.0. 

> MT> Every port, TCP, UDP, whatever, is used for valid
> MT> purposes.
>
> This statement makes no sense. On my internal network, the NetBIOS
> traffic is perfectly legal. Yet, it isn't allowed to cross the borders
> of my organization without being encapsulated into a VPN layer. That
> is basic security. Now, this is not the same situation as an ISP but
> it's very similar in the sense that some services using TCP/IP as a
> transport mechanism and using a mechanism used as "well known port"
> should be allowed on the local network and should be disallowed on a
> wider scale because they are dangerous to the most fragile population
> of Internet: the non computer savvy users.

Agreed, that doesn't make a whole lot of sense. My point is that the 
flexibility of the Internet is appreciated. I guarantee there are people 
offering legitimate services on famous problem ports, tcp17300 for example, 
and this should be respected a million more times than the virus itself. My 
statement should have read "Every port on every protocol _can_ be used for 
valid purposes". I'm not sure how your VPNs come in to play here. The fact 
that you know how to configure a VPN makes you no less fragile than anyone 
else on the Internet. VPN routers are sold off the shelf, "fragile" people 
buy them.

> MT> None of them should be discarded because of a single vendor or
> MT> service causing a pile of problems (cough MS).
>
> Wrong again. You might kick and scream for "a perfect world" where
> every protocol is fully described by a RFC and where it's securely
> supported by many different vendors on machines that are setup by
> users that know what they are doing but it won't change the reality:
> 90+% of the machines connected to the net are variations of Windows
> and a good 80 to 90% of the users behind these machines have never
> HEARD about "UDP".

This is wrong? You honestly think its right that the problems of Microsoft (or 
anyone for that matter) land at everybody else's doorstep? I don't, nor do I 
think the solutions to these probems should effect anyone but the people 
exhibiting symptoms of the problem itself. 

> MT> IMO, the suck of worms & spam does not outweigh the kickass of
> MT> freedom.
>
> What kind of statement is that ? You want to make "freedom" equal
> "unrestrained liberties". It ain't so but in an ideal world populated
> by perfect people. On this earth, we still need rules, laws and
> way to enforce them.

Its a comparitive statement, and you addressed it completely out of context. 
All I'm saying is that by chipping away at the free nature of the Internet by 
advocating filtering by the ISP will only make it worse. If the solution 
means filtering ports, by all means leave it up to the end user. 

> MT> ::ducks and runs for cover::
>
> *grenade!!!*

Next time, make sure to pull the pin.





More information about the list mailing list