Re: [Asrg] BCP suggestion: port-blocking by ISPs

[Bill Cole <grsa at billmail.scconsult.com>]

At 10:32 AM -0400 7/31/04, Walter Dnes wrote:
>   Several major consumer-oriented ISPs block port-25 traffic (coming and
> going) direct to external MTAs.  This is a palliative measure dealing
> with compromised machines.  We can do better.  We can implement
> preventative measures reduce the incidence of compromised machines.
>
>   Having just gotten back on broadband, I set my modem-router's packet
> filters to block and log all incoming packets to ports < 1024.  Port 445
> seems to be getting around 10 hits per minute, depending on time of day.
> I've now turned off logging to keep my logfiles from expanding
> ridiculously.
>
> Inbound traffic
> ===============

It's not clear to me what point of view you are using to define 
inbound and outbound. I'm guessing that by 'Inbound' here you mean 
'coming from the non-customer world at large' so if I'm 
misunderstanding that I might not make sense below...

>   Given that many retail ISPs explicitly forbid running externally
> visible servers on residential accounts, I suggest that they block all
> ports below 1024 inbound TCP and UDP.  This will...

I have no problem with that, but I think ISP's would be wise to make 
clear that they are doing this on particular classes of account. It 
should be a marketable feature.
[...]
>   3) block spammers' ability to use a modified TCP/IP stack to send out
>      heavy-duty spam traffic on a T1 or highspeed-residential account
>      with source IP address forged to that of a cheap dial-up account
>      that they have logged on to receive the SMTP return traffic on.

No need for any special TCP/IP stack. It is perfectly normal to pick 
an interface for a packet based on target address, not source address.

>   It should be promoted as a "partial firewall".

Indeed. AOL seems to think that paternalistic Internet service is 
marketable, and is running multiple ads in heavy expensive rotations 
touting their ability to protect and repair Windows systems.

> Outbound traffic
> ================
>   In addition to protecting their own customers, ISPs should take some
> minimal measures to protect other ISPs' customers.

Okay, again I think you are viewing the relation to the non-customer 
world at large. I think that's the wrong point of attack.

>   1) egress filtering of forged source-IP addresse packets

This should be ingress filtering on customer interfaces instead. 
Watch for RFC1918 traffic hitting your router from the outside and 
consider what it might be from.

>   2) block outbound traffic to ports 135, 137, 138, 139, and 445.  There
>      is no justification/reason/rationalization/lameass-excuse for a
>      residential account to be sending out traffic on these ports.

That is debatable. I agree, but I come from the school of thought 
that says no MS server software of any flavor should be exposed to 
the Internet.

However, people DO run Exchange open to the net and ask users (i.e. 
employees) to connect to it from home using their personal commodity 
access and Outlook. Some smaller set of adventurous companies even 
leave file shares open to the net. Asking ISP's to block ports is 
asking them to offend some set of customers and perhaps drive them 
away to ISP's that don't do such blocking. That is a hopeless 
expectation, as none of the larger commodity-access ISP's has shown a 
willingness to risk losing any customers for any reason.


--
Bill Cole
bill at scconsult.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg