[Dshield] How do we encourage ISP's to do ingress and egressfiltering?

Chris Brenton cbrenton at chrisbrenton.org
Tue Nov 4 19:02:58 GMT 2003


On Tue, 2003-11-04 at 11:19, Bjorn Stromberg wrote:
>
> I should have couched my term a bit better, "Emergency Packet Filtering" I
> am thoroughly against my ISP restricting my port usage. If they're blocking
> port 135 for a week to keep it off their network while the latest worm is
> killing kittens I'm all for that. I think responsible short term port
> blocking is a valid response to short term problems, but definitely not the
> answer to our problems.

First just to be clear, I assume you are not running 135 over the
Internet, correct? So to say you have no problem with that really means
it would not effect you.

So what happens when the ISP decides that an SSH vulnerability is
running ramped and they need to block that for a few weeks? What if its
IPSec? SMTP? HTTP?

Short term port blocking might be valid, but its certainly not
effective. My upstream was one of the ISP's that started blocking 135
during the last go around. While this blocked new instances of the worm
from coming in, the worm was already happily propagating from client to
client behind their filters. So while this may have slowed the worm down
slightly, it certainly did not stop it. How many fully firewalled
environments got hit?

Again, the "problem" here is you are going after a symptom, not the real
problem which is that its too hard for many users to stay up on patches
and keep their systems secure. 

> My father's ISP started using SpamAssassin about a week ago. The first
> e-mail I received from him had a SpamAssassin header indicating that the
> message my father sent me was probably spam and it had a score of 1.6/5.0 I
> still received the e-mail and there was nothing wrong with it besides having
> a gigantic header. I think that this approach is a good way to handle the
> spam issue and I think the same could be applied to virii.

At least with SpamAssassin they are trying to do it right. I remember a
few ISPs a while back started filtering all e-mails that had a subject
line of "Hi" because this was used by a single virus strain. :(

> I would welcome my ISP to rank my incoming e-mail on it's spamminess and
> notify me if one was infected by a virus. As long as it was in addition to
> the mail. Don't take anything out of my e-mail, just add a little notice of
> spamminess or infection along with the mail.

Of course the problem there is users will find a way to shoot themselves
in the foot (sure it says its a virus but it might be a picture of
Britney naked!!!! ;)

Let the port filtering, I think this is cool provided that there is a
way to opt in or out and we don't have it shoved down everyone's throat.
We already have too many rules in life that are based on the lowest
common denominator.

> > Are you sure you don't mean ingress?
> 
> I totally borked that up, yeah, I switched ingress and egress :(

No worries dude. I actually did the same thing when I first wrote that
Egress paper you pointed out. ;-)

> I don't think there will ever be a point where enough people are asking
> about ingress and egress filtering for it to make the slightest effect on
> the ISP's wallet.

Don't be so sure. I used to own a company a while back that was a secure
Internet provider. Clients paid a premium for me to run/augment their
perimeter security. It was not all that hard to show people it was a
cost effective idea.

So there is still hope...

HTH,
C


 







More information about the list mailing list