ISP port blocking practice
Jon Kibler
Jon.Kibler at aset.com
Fri Oct 23 02:36:13 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Zhiyun Qian wrote:
> Hi all,
>
> What is the common practice for enforcing port blocking policy (or what
> is the common practice for you and your ISP)? More specifically, when
> ISPs try to block certain outgoing port (port 25 for instance), they
> could do two rules:
> 1). For any outgoing traffic, if the destination port is 25, then drop
> the packets.
> 2). For any incoming traffic, if the source port is 25, then drop the
> packets.
>
> Note that either of the rule would be able to block outgoing port 25
> traffic since each rule essentially represent one direction in a TCP
> flow. Of course, they could apply both rules. However, based on our
> measurement study, it looks like most of the ISPs are only using rule
> 1). Is there any particular reason why rule 1) instead of rule 2)? Or
> maybe both?
>
> Also, is it common that the rules are based on tcp flags (e.g. SYN,
> SYN-ACK)? One would think block SYN packet is good enough.
>
> Regards.
> -Zhiyun
I understand your question, and I believe that you have been given a lot of good
answers. However, I believe that, as an ISP, you are asking the wrong question;
more precisely, you are only asking part of the real question you should be
asking. The more appropriate question should be: "What should be our network
filtering policies?"
To answer that question, I would start with ingress and egress filtering by IP
address, protocol, etc.:
1) Never allow traffic to egress any subnet unless its source IP address is
within that subnet range.
2) Never allow traffic to egress any subnet, if that traffic claims to
originate from the subnet's network number or broadcast address.
3) Never allow traffic to ingress any subnet, if that traffic is directed to
the subnet's network number or broadcast address.
4) Never allow traffic to ingress any network if the source address is bogus.
5) Never allow traffic to ingress or egress any network if it has an protocol
not "supported" by your network (e.g., allow only TCP, UDP, ICMP, ESP, AH, GRE,
etc.).
6) Never allow traffic to ingress or egress any network if it has an invalid
TCP flags configuration.
These are the rules I can think of off the top of my head without looking at an
actual hardened router. I am sure I am missing some, but these are a good start.
My $0.02 worth.
Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler at aset.com
e: Jon.R.Kibler at gmail.com
http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrhFp0ACgkQUVxQRc85QlOYlgCggttgagm2sb90Vg7ntEreFtLr
ydAAnjG4zEmkTmLuZpWUey9nNRHZiTLs
=VDEG
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the NANOG
mailing list