ISP port blocking practice

Owen DeLong owen at delong.com
Sat Oct 24 02:46:34 UTC 2009


Yes.

Owen

On Oct 23, 2009, at 2:19 PM, Lee Riemer wrote:

> Isn't blocking any port against the idea of Net Neutrality?
>
> Justin Shore wrote:
>> Owen DeLong wrote:
>>> Blocking ports that the end user has not asked for is bad.
>>
>> I was going to ask for a clarification to make sure I read your  
>> statement correctly but then again it's short enough I really don't  
>> see any room to misinterpret it.  Do you seriously think that a  
>> typical residential user has the required level of knowledge to  
>> call their SP and ask for them to block tcp/25, tcp & udp/1433 and  
>> 1434, and a whole list of common open proxy ports?  While they're  
>> at it they might ask the SP to block the C&C ports for Bobax and  
>> Kraken.  I'm sure all residential users know that they use ports  
>> 447 and 13789.  If so then send me some of your users.  You must be  
>> serving users around the MIT campus.
>>
>>> Doing it and refusing to unblock is worse.
>>
>> How you you propose we pull a customer's dynamically-assigned IP  
>> out of a DHCP pool so we can treat it differently?  Not all SPs use  
>> customer-facing AUTH.  I can think of none that do for CATV though  
>> I'm sure someone will now point an oddball SP that I've never heard  
>> of before.
>>
>>> Some ISPs have the even worse practice of blocking 587 and a few  
>>> even
>>> go to the horrible length to block 465.
>>
>> I would call that a very bad practice.  I haven't personally seen a  
>> mis-configured MTA listening on the MSP port so I don't think they  
>> can make he claim that the MSP port is a common security risk.  I  
>> would call tcp/587 a very safe port to have traverse my network.  I  
>> think those ISPs are either demonstrating willful ignorance or  
>> marketing malice.
>>
>>> A few hotel gateways I have encountered are dumb enough to think  
>>> they can block TCP/53
>>> which is always fun.
>>
>> The hotel I stayed in 2 weeks ago that housed a GK class I took had  
>> just such a proxy.  It screwed up DNS but even worse it completely  
>> hosed anything trying to tunnel over HTTP.  OCS was dead in the  
>> water.  My RPC-over-HTTP Outlook client couldn't work either.   
>> Fortunately they didn't mess with IPSec VPN or SSH.  Either way it  
>> didn't matter much since the network was unusable (12 visible APs  
>> from room, all on overlapping 802.11b/g channels).  The average  
>> throughput was .02Mbps.
>>
>>> Lovely for you, but, not particularly helpful to your customers  
>>> who may actually want to use some of those services.
>>
>> I take a hard line on this.  I will not let the technical ignorance  
>> of the average residential user harm my other customers.  There is  
>> absolutely no excuse for using Netbios or MS-SQL over the Internet  
>> outside of an encrypted tunnel.  Any user smart enough to use a  
>> proxy is smart enough to pick a non-default port.  Any residential  
>> user running a proxy server locally is in violation of our AUP  
>> anyway and will get warned and then terminated.  My filtering helps  
>> 99.99% of my userbase. The .001% that find this basic security  
>> filter intolerable can speak with their wallets.  They can find  
>> themselves another provider if they want to use those ports or pay  
>> for a business circuit where we filter very little on the  
>> assumption they as a business have the technical competence to  
>> handle basic security on their own.  (The actual percentage of  
>> users that have raised concerns in the past 3 years is .0008%.  I  
>> spoke with each of them and none decided to leave our service.)
>>
>> We've been down the road of no customer-facing ingress ACLs.  We've  
>> fought the battles of getting large swaths of IPs blacklisted  
>> because of a few users' technical incompetence.  We've had large  
>> portions of our network null-routed in large SPs.  Then we got our  
>> act together and stopped acting like those ISPs who we all love to  
>> bitch about, that do not manage their customer traffic, and are  
>> poor netizens of this shared resource we call the Internet.  Our  
>> problems have all but gone away. Our residential and business users  
>> no longer call in on a daily basis to report blacklisting  
>> problems.  We no longer have reachability issues with networks that  
>> got fed up with the abuse coming from our compromised users and  
>> null-routed us.  I stand by our results as proof that what we're  
>> doing is right.  Our customers seem to agree and that's what matters.
>>
>> Justin
>>
>>
>>





More information about the NANOG mailing list