Re: [Asrg] BCP suggestion: port-blocking by ISPs

["Brian Bruns" <bruns at 2mbit.com>]

On Sunday, August 08, 2004 2:13 PM [EST], Walter Dnes wrote:

>
>   ARRRRGH!!!  I can understand ssh-tunneling, ssl-tunneling, IPSEC,
> VPN, etc.  But wide-open shares is stupid.  Ditto for
> direct-connect via Outlook.  Do you realize how many open ports
> Exchange uses?
>


And not even the same ports every time either.  Next to H.323,
Exchange is probably one of the most NAT unfriendly systems out there.
It likes to use dynamic ports for everything, meaning not even port
forwarding or leaving open ranges is going to work, unless you give it
all 65535 ports.  However, they supposedly improved in the latest
Exchange server version.


>
>   I've turned off syslogging (from my ADSL modem/router to my linux
> machine) because it was accomplishing nothing except filling up my
> logfile with a constant hammering on port 445.  If "internet
> background radiation" moves up to the level of a DOS, expect
> egregious sources to be null-routed as a defensive measure.  Then
> we might start seeing some outbound blocking similar to
> port-25-blocking.  It's sad that things have to deteriorate that
> far before action gets taken.

<rant>
What gets me is the providers which overblock on things.  I can
understand filtering 135/137/445, 25, etc, but then you have providers
like Megapop that are filtering all incoming/outgoing ICMP echo/echo
reply traffic to dialups which prevents normal diagnostic tools from
working (even traceroute is broke)

Yes,  I understand why they might be doing this (helping to prevent
the spread of viruses that try to ping the attempted host to see if
its up), but sometimes this can go too far.  I have to be able to do
certain kinds of tests when my connection is acting flakey, and this
prevents me from doing that.

I'm at one of those points where a good portion of my net traffic goes
over my VPN tunnel to our Indy location, then out to the net, because
I have no idea just what else is being tinkered with exactly by
Megapop (and they do not give any kind of indication that they would
be doing this on their site, makes me glad I decided NOT to resell
dialup through them back in Jan/Feb of this year).

Another example of going overboard - providers/companies/etc blocking
all ICMPs and not just echo/echo reply and other dangerous ones.
Stuff like PMTU breaks, etc.  Yes, filtering is good, but only when
done correctly and carefully.  Limiting the damage from infected
Windows machines isn't that hard to do without breaking the Internet
for the rest of us who are clean and/or run another OS such as MacOS X
or Linux/BSD.
</rant>

Ok. I'm done :)


-- 
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The Abusive Hosts Blocking List
http://www.ahbl.org


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg