lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1044545299.15689.101.camel@utd49554.utdallas.edu>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: SQL Slammer - lessons learned

On Thu, 2003-02-06 at 04:41, Nicob wrote:
> On Wed, 2003-02-05 at 16:38, Paul Schmehl wrote:
> 
> > Can you think of a legitimate reason why ISPs should allow ports
> > 135-139/TCP/UDP to be open to the Internet?  How about port 445/UDP? 
> 
> IMO, it's not to the ISP to choose wich ports and services should I use.
> I pay it (sort of) for a pipe running from my home-computer to the wild
> Internet and *that's all*.

I think you're confused about who owns the pipe.  The ISPs can do
anything they want.  Then it's up to you as a consumer to decide if
you're willing to pay them for the service they offer - completely open
or partially restricted.  AOL is an example of this, as are a few
others.

However, I think the day is coming when ISPs will be held liable for
negligence when they have been informed about problems coming from their
network and they do nothing to fix them.  One option, obviously, is to
work with the customer to fix whatever is wrong - get them to patch,
close ports, stop services, whatever.  But another, *much* easier
option, is to simply close the ports themselves.  And I predict that
many will do that.

Port 25 is a good example.  There was a time when hardly any ISP in the
world would have even considered closing port 25.  Now many of them have
closed it.  It's cheaper to close the port and be done with it than it
is to be playing whack-a-mole with an expensive abuse staff.
> 
> I don't want some "services" like transparent proxies, AV scanning at
> the mail relay or port filtering. I just want a pipe ...

And that's your right.  The ISP's right is to close whatever ports they
think need to be closed.  And then you get to decide if you want to do
business with them or take your business elsewhere.

Look at it this way.  Would you rather have the ISPs closing ports
voluntarily?  Or the governments doing it by mandate?
> 
> > What about the ISPs whose policy it is to not allow
> > customers to run servers?
> 
> That's another problem.
> 
> If I ask for a pipe, I want a pipe.
> If I ask for a discount ADSL access with limited amount of trafic and no
> allowed hosting (HTTP, FTP, SMTP, SSH, ...), the ISP can restrict the
> inbound ports.
> 
Again, you're confusing what you want as a consumer with what any single
ISP may think is appropriate.  As a consumer you have choices.  As a
business, so does the ISP.

> If the next big vuln/worm is a SSH one, would you agree with an ISP
> blocking inbound TCP/22 and forbidding to users to connect to their
> home-LAN to check mails, get some files, start the coffe-maker or manage
> downloads ?
> 
I would if the worm was destructive enough.  Even if they only do it
until the crisis is over, it's still better than letting the internet
drop to its knees while doing nothing to stop it.

-- 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ