Port blocking last resort in fight against virus

Mans Nilsson mansaxel at sunet.se
Tue Aug 12 15:50:38 UTC 2003


Subject: Re: Port blocking last resort in fight against virus Date: Tue, Aug 12, 2003 at 10:36:12AM -0500 Quoting Jack Bates (jbates at brightok.net):
> 
> Is it just me that feels that blocking a port which is known to be used 
> to perform billions of scans is only proper? It takes time to contact, 
> clean, or suspend an account that is infected. Allowing infected systems 
> to continue to scan only causes problems for other networks. I see no 
> network performance issues, but that doesn't mean other networks won't 
> have issues.

I have two faces, let's hear what they say:

"I am a network operator. I do not see issues with my network unless
 somebody fills it up beyond capacity. Then I might ask somebody a
 question as to why they are shoveling so many more packets than
 usual. If it is a panic, I might null0 someone. I just want to keep
 my network transparent."

"I am a systems administrator. Sometimes, there are security problems with 
 my operating systems of choice. Then, I fix those hosts that are affected,
 and all is well. The network is not bothering me as long as it is 
 transparent." 

Your chosen path is a down-turning spiral of kludgey dependencies,
where a host is secure only on some nets, and some nets can't cope
with the load of all administrative filters (some routers tend to
take port-specific filters into slow-path). That way lies madness. 

-- 
Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

Oh my GOD -- the SUN just fell into YANKEE STADIUM!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030812/dd962084/attachment.sig>


More information about the NANOG mailing list