[Dshield] paper about port blocking
kaos at earthlink.net
Wed Sep 3 20:52:39 GMT 2003
Jonathan Rickman wrote:
> I have a problem with this approach at a fundamental level. I pay my
> ISP for a connection to the Internet, not the WWW. It is not their
> place to determine how I use that connection (AUPs not withstanding).
> Draconian measures such as those you are advocating would leave us
> with nothing more than a watered down version of the present
> Internet. If I wanted that, I'd use AOL. An ISP's job is to deliver
> packets from one point to another, with no concern for the content of
> the packets, or their particular purpose.
This is the old "ISPs are common carriers" argument, which isn't now, and
has never been, correct. You are entitled to exactly what connectivity your
contract with your ISP specifies. Nothing more, nothing less.
>I certainly see the merits
> of blocking ports upstream as a value added service, but making it
> the default is horribly wrong in my opinion.
What possible legitimate use does your typical broadband customer have for
outgoing access to port 25 (except to the ISPs mail server, of course), 135,
or 1080? Doesn't it prevent an entire class of problems if ISPs proactively
block these ports for any customer who doesn't specifically ask for them to
be open (and probably not 25 even then)? Granted, ISPs should open most
ports for users that do have a legitimate need, but I have no problem for
leaving the most exploited ports shut off by default.
Most importantly, if you believe port blocking is inherently wrong, what
alternative do you propose for controlling the spread of worms, spam, and
other traffic that is crippling large parts of the Internet?
More information about the list