Re: [Asrg] BCP suggestion: port-blocking by ISPs

[Bill Cole <grsa at billmail.scconsult.com>]

At 2:13 PM -0400 8/8/04, Walter Dnes  imposed structure on a stream 
of electrons, yielding:
> On Sat, Aug 07, 2004 at 12:11:20PM -0400, Bill Cole wrote
>
> >  Okay, again I think you are viewing the relation to the non-customer
> >  world at large. I think that's the wrong point of attack.
> >
> >  >  1) egress filtering of forged source-IP addresse packets
> >
> >  This should be ingress filtering on customer interfaces instead.
> >  Watch for RFC1918 traffic hitting your router from the outside and
> >  consider what it might be from.
>
>   Forged source addresses are not always going to be in the RFC1918
> spectrum.

Obvious I wasn't clear enough.

I mean that when you see those addresses, you can be essentially 
certain that they did not come from anywhere outside your own ISP's 
network. Those bogus addresses are almost certain to be from one 
customer to another, and have some chance of being the result of 
mistakes instead of attacks. They are also proof that ingress 
filtering on customer-facing interfaces would catch some bogus 
traffic.

> And I do believe that ISPs have a duty to minimize/stop abuse
> in general (not just spam) emanating from their systems.

Yes, and an effective way to do both is not just to filter what 
leaves their network, but to filter what comes in from downstream.

For many ISP's, that is also the only reasonable place to filter. 
99.9% of their customers may well be single-homed, but that 0.1% will 
be a problem if they are only filtering on the 'upstream' side 
instead of on each customer interface.

> >  However, people DO run Exchange open to the net and ask users (i.e.
> >  employees) to connect to it from home using their personal commodity
> >  access and Outlook. Some smaller set of adventurous companies even
> >  leave file shares open to the net.
>
>   ARRRRGH!!!  I can understand ssh-tunneling, ssl-tunneling, IPSEC, VPN,
> etc.  But wide-open shares is stupid.  Ditto for direct-connect via
> Outlook.  Do you realize how many open ports Exchange uses?

I never said it was a wise thing to do. IMHO it a proof positive that 
the admin of that server is unsuited for his job. But it does happen 
and ISP's do have to live in a world where users will complain about 
port blocking because of such idiotic choices. Note that it's not a 
bad choice because of the number of ports, but because of the 
problems with the specific software handling them.

> >  Asking ISP's to block ports is asking them to offend some set of
> >  customers and perhaps drive them away to ISP's that don't do such
> >  blocking. That is a hopeless expectation, as none of the larger
> >  commodity-access ISP's has shown a willingness to risk losing any
> >  customers for any reason.
>
>   Comcast has gotten their act together in the past couple of months...
> after being blocked by a significant chunk of the planet.  In June and
> early July, 24.0.0.0/8 used to have more email delivery attempts blocked
> by my rules than the next 5 most active /8's combined.  For the first
> week of August, it has been the 4th most active /8 in my block logs.
> It's not all Comcast in there, but every reduction in spamflow helps.

What is most notable is not that Comcast did block port 25 but rather 
that it took so long for them to do so. The bulk of commodity dialup 
providers in the US were blocking port 25 4 years ago.

Getting back to the original topic of this thread: I still believe 
that default-on port blocking is the laziest practice, not the best 
practice.

>   I've turned off syslogging (from my ADSL modem/router to my linux
> machine) because it was accomplishing nothing except filling up my
> logfile with a constant hammering on port 445.  If "internet background
> radiation" moves up to the level of a DOS,

If?

Attacks aimed at services with common vulnerable implementations 
(e.g. DCE endpoint mapping) have effectively eliminated the ability 
to expose any implementations to the net at large. This is not 
because they all share the same compromise risk as the target 
implementations, but because of the large number of surviving 
imbeciles whose machines are hammering those ports.

>  expect egregious sources to
> be null-routed as a defensive measure.

I wish that were true to a significant extent beyond the 
hobbyist/micro-network community. Except for the brief period when 
the MAPS BGP feed was being used by a few large networks, I have not 
seen signs of a stomach for such approaches.

>   Then we might start seeing some
> outbound blocking similar to port-25-blocking.  It's sad that things
> have to deteriorate that far before action gets taken.

It is most sad that reasonable people disagree over whether it is a 
good thing to treat everyone like an imbecile or a criminal by 
default.

--
Bill Cole
bill at scconsult.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg