lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: yossarian at planet.nl (yossarian) Subject: SQL Slammer - lessons learned PS wrote >> Can you think of a legitimate reason why ISPs should allow >> ports 135-139/TCP/UDP to be open to the Internet? How about >> port 445/UDP? Many ISPs now block port 25/TCP (for obvious >> reasons.) Why not other service ports? SD wrote >Are that InternetServiceProviders or InternetServiceCensors? >I feel free to implement an own strange private protocol using >UDP 135 and I pay the ISP for routing this. I don't see any >responsibility for ISPs to care about the content. I think the answer is in your exemple: If only we were to standardise on an MS World, vulnerable MS ports would be blockable, w/o collateral damage for people not adhering to standard MS. The legitimate reasons Paul asks for, are that ports are only loosely standardised. With the growing use of flexible port-adressing and masquerading in P2P clients, concentrating a discussion on certain ports appears a bit outdated to me. IMHO the real issue is where do we expect to be protected, or put in another way, who will we blame if our systems go down? Do we see the Internet as a massive threat, or do we expect it to be safe for lightweight use, i.e. less features and freedom = less threats. Funny is that some people expect people ISP to deny all and only permit what is necessary, since no one can expect parties connected, such as corporate networks and home users, to do so themselves - let the ISP set up a FW since it is too costly and/or too complex for me. Well, about too costly - ISP are usually commercial entities, so it will raise the prices, nothing in life is free. It might be commercially viable for ISP's to setup two networks, one for people that only need three or four internetfunctions (HTTP, POP, SMTP and IMAP), Nah, don't think so. People might suddenly want to run MSN, or something else. My question - must my ISP know all types of traffic legit to me, in order to service me? And change the rulesets if I update some software? Or should I apply this knowledge to set up a firewall that suits my own needs? My ISP can not setup a FW that suits me 100%, since it has other companies / customers with different needs on the same local loop. So even if my ISP were to block most of the dangerous traffic, I still would need a FW, since it cannot block all. And since an ISP must make profit, having them doing MY firewall be probably be a lot more expensive than if I do it myself.
Powered by blists - more mailing lists