lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: swallis at ittc.ukans.edu (Shawn Wallis)
Subject: ISP's save the Inet from Blaster?

I have worked for several ISP's, and most/nearly all of them are clueful
as to the harm their networks pose.  You have to remember, they are
selling a service to customers, and many customers don't want to use a
service where they can't do x, y, and z..  

The problem is, is customers must give up something, for this security.
If all the DSL/Cable providers drop offering those ports, they will do
just what I did, and switch to someone who hasn't blocked them yet... or
upgrade and pay more for a business-class type.. 

Most providers I know are in it to make money, so there is a huge benefit
to offering as much as possible, without hindering their network...

If you'll notice, the carriers, normally don't even dream of blocking
ports..  The several I worked for had policies that prevented
filtering of ports due to the load on the routers, and the interruption
of service to the customer.  Carriers have SLA's with most of their
customers to provide service. Even when dealing with worms, there had to
be explicit service interruption to multiple customers, before they would
block interfere.  The impact is huge for them, but what if they just
decided to block 135.. Think of the effect that could have on business,
etc.  
(Not that anyone should be using these across any WAN's.. but I'm sure
they do...)

The ISP networks are just a staging point, but I truly wonder how much
business and how many users will switch, or drop their service as they
blame a local ISP for interrupting their service, or not protecting them??
I doubt we will ever know, but it would be very interesting how many
people don't understand the situation, and quit their current provider due
to this.  (Just like when customers get frustrated when a carrier has
repeated outages, and switches services... However, a lot of CO's are in
the same building next to each other... and suffer the same issues)

I think the problem is much greater.  I am not really worried about the
DSL-type providers.  Most of them seem to be on the ball, but what i'm
worried about are people outside of the US.  The reason is, there is no
regulation of what comes in (or goes out) on border routers.  I wouldn't
mind seeing some comparisons as to whom the top contributors were (by
some of the carriers).  I am pretty sure the numbers will be greater
outside the US.  I think if the carriers pitched in, and blocked "135/tcp"
from non-US, this might have helped the issue.

I think the carriers need to take a little more responsibility.  (and 
change their policies)  Their role is just to provide customers with a
big fat pipe, and usually don't do any filtering.  (Due to load on
routers, interferring with other  customers, etc...)  DSL/Cable providers
actually have to deal with the end users, sadly enough.  

Maybe carriers are coming up with some rules how in an event of a worm 
(etc.), they will proceed to block ports to limit exposure..  

One of the problems again, is there is no profit doing Internet
worm/DOS/DDOS prevention.  The only profit comes from VPN'd type setups
where users will affect themselves, or other networks they are affiliated
with.

There are companies out there that do this sort of thing, like Arbor
Networks, but... the problem, is even if I protect my home LAN, there is a
chance that my provider will be affected, and their carrier will be
affected, and the carrier/provider where I am trying to get to..  So,
whats the point? and even if one hop between me and my destination are
affected, it hoses everything up for me! :)

- Shawn

On Wed, 13 Aug 2003, Kyp Durron wrote:

> Hello all,
> 
> Here is something to contemplate.  Right now portions or possibly all of 
> Cox, Charter, Comcast and SBC DSL networks are not allowing in or outbound 
> port 135, 139 and 445 traffic.  Take into consideration the vast number of 
> uneducated users running XP or 2000 with no protection on those networks.  
> So, is it possible that these ISP's are finally clueing into the dangers 
> that their networks pose to the Internet at large and are partial to thank 
> for Blaster not being a Slammer times 1000?
> 
> On a funny side note a few of these ISP's are denying the fact that they are 
> blocking those ports, but there is NO way you can scan over 200 client 
> machines and see tons of 5000 (uPnP) ports open and not one 135, 139 or 445.
> 
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ