[Dshield] paper about port blocking

Ed Truitt ed.truitt at etee2k.net
Thu Sep 4 15:33:06 GMT 2003

On Tue, Sep 02, 2003 at 09:53:30PM -0400, Johannes Ullrich wrote:
> I "polished" some of my arguments about blocking ports at consumer ISPs
> and put together a paper for the SANS
> reading room. If anybody is interested:
> http://www.sans.org/rr/special/isp_blocking.php

Not bad - though, IMNSHO, the ONLY justification for blocking these ports is that MS Windows Networking is not meant for use over the Internet (and if anyone doubts this, why don't we have a World Wide WINS, on the line of DNS?  It's called A FLAT NAMESPACE.)  The most-assailed port on my tarpit is STILL 1433 (thanks to the system that is hitting it with 662 attack threads), and there is still some NIMDA and CRII around.  I certainly would NOT recommend that ISPs block those ports (or even P2P ports) as a general rule.

Just a question, though -- why did you not include Port 138?
Edward D. (Ed) Truitt
email:  ed.truitt at etee2k.net      
"Note to spammers: my 'delete' key is connected to YOUR ISP. 
Also, if you send me UCE, I reserve the right to post your spew 
on my Web site, with the appropriate color commentary, so that 
others may have a good laugh at your expense."

More information about the list mailing list