Automatic shutdown of infected network connections
Matthew S. Hallacy
poptix at techmonkeys.org
Wed Sep 3 15:45:26 UTC 2003
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
> On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
> > Why in the world would you do that? the DOCSIS specification allows for
> > filtering rules at the CPE, which means you could simply block icmp echo
> > and ports 135-139+445 directly at their home network, causing no load
> > whatsoever on your network, _and_ no more infected boxes (even at 56k).
>
> The modem _is_ the CPE. There's no load on the network; just CPU on
> the modem. "modem config" != "CMTS config".
I think that's exactly what I said, perhaps you misread my comment.
My point was that you're rate limiting and filtering customers for no
reason when you have the ability to filter the attack vectors in a very
effective and 'clean' way. You should consider leaving those ports filtered
seeing how they're the #1 way for windows systems to be infected/hijacked.
--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
More information about the NANOG
mailing list