[Dshield] paper about port blocking
ed.truitt at etee2k.net
Thu Sep 4 15:33:06 GMT 2003
On Tue, Sep 02, 2003 at 09:53:30PM -0400, Johannes Ullrich wrote:
> I "polished" some of my arguments about blocking ports at consumer ISPs
> and put together a paper for the SANS
> reading room. If anybody is interested:
Not bad - though, IMNSHO, the ONLY justification for blocking these ports is that MS Windows Networking is not meant for use over the Internet (and if anyone doubts this, why don't we have a World Wide WINS, on the line of DNS? It's called A FLAT NAMESPACE.) The most-assailed port on my tarpit is STILL 1433 (thanks to the system that is hitting it with 662 attack threads), and there is still some NIMDA and CRII around. I certainly would NOT recommend that ISPs block those ports (or even P2P ports) as a general rule.
Just a question, though -- why did you not include Port 138?
Edward D. (Ed) Truitt
email: ed.truitt at etee2k.net
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
More information about the list