ISP port blocking practice

Eric Katanich ekat at onyxlight.net
Thu Sep 9 15:59:19 CDT 2010


On Thu, Sep 02, 2010 at 04:59:57PM -0500, Zhiyun Qian wrote:
> One of the high-level findings is that we developed probing techniques
> to verify that indeed most ISPs are only blocking 1) "outgoing traffic
> of destination port 25" instead of 2) "incoming traffic with source
> port 25", which means that these ISPs are vulnerable to the assymetric
> routing attack.

Folks interested in port blocking may also find useful another
academic work we did a few years ago that sought to broadly
characterize the prevalence of port blocking, albeit under the guise
of neutrality:
  http://rbeverly.net/research/papers/truck-pam07.html

While we found that email ports (e.g. 25, 110, 143) were more than
twice as likely to be blocked than a control port, other ports such as
136 were more widely blocked (136 is an innocuous profile port, but
often suffers collateral damage because it lies between the microsoft
and netbios 135-139 ports).

Also, the asymmetric spam problem is covered in some detail in our
2009 IMC spoofer paper:
  http://rbeverly.net/research/papers/spoofer-imc09.html

rob



More information about the NANOG mailing list