Automatic shutdown of infected network connections
Nathan E Norman
nnorman at incanus.net
Wed Sep 3 15:12:16 UTC 2003
On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote:
>
> On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
[ Jonathan said "we are filtering and rate limiting at the modem" ... ]
> > On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
> > > Why in the world would you do that? the DOCSIS specification allows for
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > filtering rules at the CPE, which means you could simply block icmp echo
> > > and ports 135-139+445 directly at their home network, causing no load
> > > whatsoever on your network, _and_ no more infected boxes (even at 56k).
> >
> > The modem _is_ the CPE. There's no load on the network; just CPU on
> > the modem. "modem config" != "CMTS config".
>
> I think that's exactly what I said, perhaps you misread my comment.
What you said is highlighted above. I don't think I misread it ... I
may have misunderstood what you meant. Did you intend to take issue
_only_ with rate limiting, as opposed to filtering, or are you taking
issue with the broad filtering described, or both? i'm trying to
parse "Why in the world ..." :-)
> My point was that you're rate limiting and filtering customers for no
> reason when you have the ability to filter the attack vectors in a very
> effective and 'clean' way. You should consider leaving those ports filtered
> seeing how they're the #1 way for windows systems to be infected/hijacked.
The provider in question has a long-standing tradition of providing
unfiltered access. Perhaps recent events will cause them to change
their policy as you suggest. Personally I think it's a great idea.
[ I'm no longer an employee of said provider ]
Best regards,
--
Nathan Norman - Incanus Networking mailto:nnorman at incanus.net
This message cannot be considered spam, even though it is. Some
law that never was enacted says so.
-- Arkadiy Belousov
More information about the NANOG
mailing list