[Dshield] paper about port blocking

Jonathan Rickman jonathan at xcorps.net
Wed Sep 3 21:33:15 GMT 2003

On Wednesday 03 September 2003 16:52, Darren Gasser wrote:

> Most importantly, if you believe port blocking is inherently wrong, what
> alternative do you propose for controlling the spread of worms, spam, and
> other traffic that is crippling large parts of the Internet?

Filtering at the edge works just as well for consumers as it does for large 
enterprises. Broadband ISPs should ship devices that support at least some 
form of static packet filtering, and have it locked down by default. Savvy 
users could access the device and open what they need, and less savvy users 
will be protected by default. Obviously some tweaking of the default config 
will be needed to support online gaming and the like, but ISPs could absorb 
the costs over time due to the reduced time spent playing whack-a-mole with 
infections. It wouldn't break my heart if in the event of malicious traffic 
being detected originating from the customer, the device re-directed the 
customer traffic destined for port 80 to an "attention getter" page that 
either reiterated the terms of the AUP, or had instructions for cleaning 
the worm of the month. 

Jonathan Rickman
X Corps Security

More information about the list mailing list