Blocking port 135?
Jack Bates
jbates at brightok.net
Sat Aug 2 13:09:47 UTC 2003
Mans Nilsson wrote:
> * If you block and interfere, you are responsible for what your
> customer does. You Do Not Want That.
Depends on why you block and interfere. Intention plays a large part
according to law. In this case, it's to protect the network
infrastructure from a high probability outage and overall security of
the customer's box is inconsequential. Some other things following this
intent; filtering of problem networks during attacks, executable
stripping or virus scanning (we don't warrant you won't get a virus, but
minimize the overall virus throughput in our network to maintain
operational mail servers), and suspension of insecure systems or
spammers (primary goal is to keep the entire network from being
blacklisted publicly or privately, secondary goal is good neighbor policy).
> * If my home ISP tried this on me, I'd take them to the consumer
> protection authority and have them explain why they are calling their
> filtered service "Internet access".
Many AUP/TOS aggreements have interesting no-server clauses. Blocking
135 inbound to those systems would not breach "Internet access" as the
customer shouldn't have a server running on that port. The lack of <1024
filtering on such AUP/TOS services is courtesy really. If it's not a
problem to the network, the ISP generally doesn't care.
> Instead, I'd suggest this:
>
You fogot to mention:
- Setup detection systems and perform immediate contact on accounts that
trigger the system to determine if it's legitimate or not. If not, bye
bye.
Of course, this only stops outbound issues. It does nothing to prevent
inbound, and in the event of a worm, you'd better make sure you have
double and triple methodologies in place to stabalize your network. I
received a lot of reports on the issues people had with Saphire. What
took me less than a few minutes took some hours just to access their
equipment. Suggestion? Prewrite the lists and have them in place and
know ahead of time how you'll activate them when the network is under
extreme load.
-Jack
More information about the NANOG
mailing list