lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000a01c2d06c$687049f0$0100000a@yrpxb5>
From: yossarian at planet.nl (yossarian)
Subject: SQL Slammer - lessons learned

PS wrote
>> Can you think of a legitimate reason why ISPs should allow
>> ports 135-139/TCP/UDP to be open to the Internet?  How about
>> port 445/UDP?  Many ISPs now block port 25/TCP (for obvious
>> reasons.)  Why not other service ports?

SD wrote
>Are that InternetServiceProviders or InternetServiceCensors?

>I feel free to implement an own strange private protocol using
>UDP 135 and I pay the ISP for routing this. I don't see any
>responsibility for ISPs to care about the content.

I think the answer is in your exemple: If only we were to standardise on an
MS World, vulnerable MS ports would be blockable, w/o collateral damage for
people not adhering to standard MS.

The legitimate reasons Paul asks for, are that ports are only loosely
standardised. With the growing use of flexible port-adressing and
masquerading in P2P clients, concentrating a discussion on certain ports
appears a bit outdated to me. IMHO the real issue is where do we expect to
be protected, or put in another way, who will we blame if our systems go
down?

Do we see the Internet as a massive threat, or do we expect it to be safe
for lightweight use, i.e. less features and freedom = less threats. Funny is
that some people expect people ISP to deny all and only permit what is
necessary, since no one can expect parties connected, such as corporate
networks and home users, to do so themselves - let the ISP set up a FW since
it is too costly and/or too complex for me. Well, about too costly - ISP are
usually commercial entities, so it will raise the prices, nothing in life is
free. It might be commercially viable for ISP's to setup two networks, one
for people that only need three or four internetfunctions (HTTP, POP, SMTP
and IMAP), Nah, don't think so. People might suddenly want to run MSN, or
something else.

My question - must my ISP know all types of traffic legit to me, in order to
service me? And change the rulesets if I update some software? Or should I
apply this knowledge to set up a firewall that suits my own needs? My ISP
can not setup a FW that suits me 100%, since it has other companies /
customers with different needs on the same local loop. So even if my ISP
were to block most of the dangerous traffic, I still would need a FW, since
it cannot block all. And since an ISP must make profit, having them doing MY
firewall be probably be a lot more expensive than if I do it myself.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ