What do you want your ISP to block today?

Iljitsch van Beijnum iljitsch at muada.com
Sat Aug 30 18:18:40 UTC 2003 

On zaterdag, aug 30, 2003, at 18:54 Europe/Amsterdam, Owen DeLong wrote:

>> Christopher L. Morrow's mention of asymmetric routing for multihomed
>> customers is more to the point, but if we can solve this for all those
>> single homed dial, cable and ADSL end-users and not for multihomed
>> networks, I'll be very happy.

> I happen to look alot like a single homed ADSL end
> user at certain levels, but, I'm multihomed.  I'd be very annoyed if
> my ISP started blocking things just because my traffic pattern didn't
> look like what they expect from a single homed customer.

I'm sure knife salespeople find it extremely annoying that they can't 
bring their wares along as carry-on when they fly. Sometimes a few 
people have to be inconvenienced for the greater good.

> But, TCP to a port that isn't listening (or several ports that aren't
> listening) _ARE_ what you are talking about blocking.  This is not a
> good idea.

Why not? I think it's a very good idea. TCP doesn't work if you only 
use it in one direction, so blocking this doesn't break anything 
legitimate, but it does stop a whole lot of abuse. (Obviously I'm 
talking about the case where the lack of return traffic can be 
determined with a modicum of reliability.)

>> It should be possible to have a host generate special "return traffic"
>> that makes sure that stuff that would otherwise be blocked is allowed
>> through.

> I don't think it's desirable or appropriate to have everyone 
> re-engineer
> their hosts to allow monitoring and external validation scans to get
> around your scheme for turning off services ISPs should be providing.

But then you don't seem to have any problems with letting through 
denial of service attacks so I'm not sure if there is any use in even 
discussing this with you. Today, about half of all mail is spam, and 
it's only getting worse. If we do nothing, tomorrow half of all network 
traffic could be worms, scans and DOS. We can't go on sitting on our 
hands.

More information about the NANOG mailing list