Providers removing blocks on port 135?
Jack Bates
jbates at brightok.net
Fri Sep 19 20:07:51 UTC 2003
Owen DeLong wrote:
> Yes. I responded to this in a previous post. We must do what we must do
> temporarily to keep things running. However, breaking the net is not a
> long
> term solution. We must work to solve the underlying problem or it just
> becomes
> an arms-race where eventually, no services are useful.
>
I agree, and as a point of fact, many ISP's allow their users to opt out
of spam. The ability to opt out of port filtering is a little more
difficult, but it is not impossible. Most authentication methods
designed have support for telling connection equipment what security
lists to use and how to treat a specific user. Some systems, like mine,
do not run authentication models that support this, but I consider it
very wise to change.
In my case, I will maintain a filter anywhere in the network that it is
required in order to help protect the network and the users who rely
upon the network. Currently, estimates show that removing port 135 at
this junction would allow the current Blaster infected users to become
infected with Nachi/Welchia which has more network impact. Some
segments, despite blocks, have already had small outbreaks which we had
to irradicate. In addition, dialups have very little bandwidth to begin
with. The amount of traffic generated on icmp and 135 is currently high
enough to severly cripple connectivity on an unprotected dialup account.
I do agree that it is a temporary measure. Yet, one must remember that
each network has it's own definitions of temporary, drastic, and
appropriate. I now return you to contacting those infected users in your
network. :)
-Jack
More information about the NANOG
mailing list