ISP port blocking practice

Fri Oct 23 14:47:38 UTC 2009

Owen DeLong wrote:
> Blocking ports that the end user has not asked for is bad.

I was going to ask for a clarification to make sure I read your 
statement correctly but then again it's short enough I really don't see 
any room to misinterpret it.  Do you seriously think that a typical 
residential user has the required level of knowledge to call their SP 
and ask for them to block tcp/25, tcp & udp/1433 and 1434, and a whole 
list of common open proxy ports?  While they're at it they might ask the 
SP to block the C&C ports for Bobax and Kraken.  I'm sure all 
residential users know that they use ports 447 and 13789.  If so then 
send me some of your users.  You must be serving users around the MIT 
campus.

> Doing it and refusing to unblock is worse.

How you you propose we pull a customer's dynamically-assigned IP out of 
a DHCP pool so we can treat it differently?  Not all SPs use 
customer-facing AUTH.  I can think of none that do for CATV though I'm 
sure someone will now point an oddball SP that I've never heard of before.

> Some ISPs have the even worse practice of blocking 587 and a few even
> go to the horrible length to block 465.

I would call that a very bad practice.  I haven't personally seen a 
mis-configured MTA listening on the MSP port so I don't think they can 
make he claim that the MSP port is a common security risk.  I would call 
tcp/587 a very safe port to have traverse my network.  I think those 
ISPs are either demonstrating willful ignorance or marketing malice.

> A few hotel gateways I have encountered are dumb enough to think they 
> can block TCP/53
> which is always fun.

The hotel I stayed in 2 weeks ago that housed a GK class I took had just 
such a proxy.  It screwed up DNS but even worse it completely hosed 
anything trying to tunnel over HTTP.  OCS was dead in the water.  My 
RPC-over-HTTP Outlook client couldn't work either.  Fortunately they 
didn't mess with IPSec VPN or SSH.  Either way it didn't matter much 
since the network was unusable (12 visible APs from room, all on 
overlapping 802.11b/g channels).  The average throughput was .02Mbps.

> Lovely for you, but, not particularly helpful to your customers who may 
> actually want to use some of those services.

I take a hard line on this.  I will not let the technical ignorance of 
the average residential user harm my other customers.  There is 
absolutely no excuse for using Netbios or MS-SQL over the Internet 
outside of an encrypted tunnel.  Any user smart enough to use a proxy is 
smart enough to pick a non-default port.  Any residential user running a 
proxy server locally is in violation of our AUP anyway and will get 
warned and then terminated.  My filtering helps 99.99% of my userbase. 
The .001% that find this basic security filter intolerable can speak 
with their wallets.  They can find themselves another provider if they 
want to use those ports or pay for a business circuit where we filter 
very little on the assumption they as a business have the technical 
competence to handle basic security on their own.  (The actual 
percentage of users that have raised concerns in the past 3 years is 
.0008%.  I spoke with each of them and none decided to leave our service.)

We've been down the road of no customer-facing ingress ACLs.  We've 
fought the battles of getting large swaths of IPs blacklisted because of 
a few users' technical incompetence.  We've had large portions of our 
network null-routed in large SPs.  Then we got our act together and 
stopped acting like those ISPs who we all love to bitch about, that do 
not manage their customer traffic, and are poor netizens of this shared 
resource we call the Internet.  Our problems have all but gone away. 
Our residential and business users no longer call in on a daily basis to 
report blacklisting problems.  We no longer have reachability issues 
with networks that got fed up with the abuse coming from our compromised 
users and null-routed us.  I stand by our results as proof that what 
we're doing is right.  Our customers seem to agree and that's what matters.

Justin