What do you want your ISP to block today?

Ray Wong rayw at rayw.net
Sat Aug 30 19:13:45 UTC 2003


On Sat, Aug 30, 2003 at 02:53:46PM -0400, Valdis.Kletnieks at vt.edu wrote:
> On Sat, 30 Aug 2003 14:09:40 EDT, Joe Abley said:
> > That won't save them when the time required to download the patch set 
> > is an order of magnitude greater than the mean time to infection.
> 
> This, in fact, is the single biggest thorn in our side at the moment. It's hard
> to adopt a pious "patch your broken box" attitude when the user can't get it
> patched without getting 0wned first...

how about ACLing them?

upstream from customer:
permit udp <customer> <ISP's nameservers> port 53
permit tcp <customer> <windowsupdaterange> port 80(?)

for as much of the windows update range as can be found.  Since they've
recently akamai'zed, this is somewhat predictable.

Downstream, you can either setup stateful, or just be lazy and hope that
allowing estab flag is enough...

ACL can be either templated or genericized for the OS.  (replacing
<customer> with any means the customer pvc (assuming DSL) can only
hit microsoft regardless of spoofing.  Similar ACLs can be setup
for Solaris, OSX, even various flavors of linux.  being able to at
least semi-automate router config changes is a requisite, but not
insurmountable.

This will, no doubt, increase support calls.  How much compared to a
pervasive work is left as an exercise to the reader.



-- 

Ray Wong
rayw at rayw.net




More information about the NANOG mailing list