[Dshield] paper about port blocking

warpmedia warpmedia at comcast.net
Thu Sep 4 13:45:22 GMT 2003

At 23:41 9/3/2003, Johannes Ullrich wrote:
>On Wed, 2003-09-03 at 22:08, warpmedia wrote:
> > What happened to "unlimited Internet"?
>it joint the 'free beer ' and went to chapter 11.

Well I still hear the phrase being used in ads, so I don't know.

> > I am personally pissed that Comcast is arbitrary blocking ports for 3 
> reasons:
> > 3. There was no announcement or web page listing ports being blocked.
>Blocked ports have to be announced and they have to be part of the
>contract. The problem is that because ISPs block ports as things come
>up, these blocks break existing connections users expect to work.

Tell me about it. When all the blaster stuff was going on I was surprised 
not to see even 1 hit my firewall. Then I ran a scan from Sygate's website 
for ports 1-1024 and noticed missing ports in my logs. Took me a bit until 
I realized what was up.

> > So you tell me, where does it end & what do I loose/gain in the process?
>Simple: How much are you willing to pay for abuse personal helping
>infected users? How much do you want to pay for all the packets getting
>thrown your way by various worms/DDOS attacks and such.
>My cable modem sees about 20% valid traffic at this point. I don't want
>to have 80% of my monthly fee go to routing junk.

I won't pay a dime. Shut THEM down until they PAY someone to come fix their 
problems & act as liaison to the provider to certify the problem is gone. I 
have no bandwidth issues here, nor have I ever really had a problem with 
outside sources as I did pay my $80 and install a HW firewall (which out of 
the box, blocked everything needed).

Meanwhile I loose my ability to use certain ports (arbitrarily, I still see 
scans from various virus on ports > 1024) as well as the ability to know 
what is up around me.

> > What does this move do to cases where ISP's are being subpoenaed for
> > users names & address by a$$holes like RIAA, but ISP's claim they are only
> > the carrier?
>While these cases are not related to port blocking, ISPs lost these
>cases because they are not just the carrier in the opinion of the judge.

How are they not related? If they can just port block stupid file sharing 
services & don't because it's a slippery slope, now they have gone down 
that slope. What's next? I browse a web site & get infected. Why didn't 
they block the dangerous content? Why can I see porn by accident? 10 years 
ago these were the issue that originally setup ISP's in "hand's off" mode 
for fear of messing up & missing something.

> > It makes more sense that they should be supplying old Netgear RP114's
> > pre-configured with filtering (a managed circuit like you see to offices)
> > with a disclaimer that it's only "basic" protection vs. none. Then they
> > could offer the ability to manage it yourself once you sign a AUP or 
> something.
>That would be great. My dream solution: The ISP sets up a little online
>security quiz. If you pass it, you will be permitted to open the ports.
>Some Universities are now implementing systems like this, where you will
>not be permitted to connect to the outside at all until your machine
>passed an automated security scan. We will see how that works. These
>systems are new and I guess this semester will be the first real test.

Hey, no problems here with that idea as long as there is something real you 
can for and not miss something equally as important. It needs to be 
followed up with a list of software you can't use because it's inherently 
unsafe like Internet Explorer. With out the software fixed, you've only 
killed 1 vector of attack (possibly partially). Now you have to deal with 
the other which is seemingly safe websites that exploit your browser (a 
much bigger problem than port blocking from what I see show up on customer 
systems that they didn't install).

But, you still need to supply firewalls. There is no argument against that 
when out of the box, most all the consumer grade routers would have blocked 
this problem. What does the cable co say when you have  firewall? "We don't 
support that method of connecting".

> > What port a user uses is not the business of the ISP, what service they 
> put
> > on that port maybe. The problems lie with exploit writers and the creators
> > of software that is full of bugs to be exploited.
>Yes. but thats a much harder problem to solve. Keeping the ports open
>will not help solve this problem.

Yes, but closing them "masks" the problem not fixes it. You'd still have 
business customers who were unblocked and just as likely to have a dolt 
admin. Who is liable when something still makes it through an ISP to a 
customer on a port they aren't blocking?

Temp port block during a major storm is fine and falls under the category 
of SPI. Still makes more sense to detect infected boxes & shut down their pipe.

Joshua MacCraw
warpmedia at comcast.net

More information about the list mailing list