BCP for ISP to block worms at PEs and NAS

Christopher L. Morrow christopher.morrow at mci.com
Mon Apr 18 02:24:06 UTC 2005




On Sun, 17 Apr 2005, J.D. Falk wrote:

>
> On 04/17/05, John Kristoff <jtk at northwestern.edu> wrote:
>
> > >  deny   tcp any any range 135 139
> > >  deny   udp any any range 135 netbios-ss
> > >  deny   tcp any any eq 445
> > >  deny   udp any any eq 1026
> >
> > Similar as before, you are going to be removing some legitimate
> > traffic.
>
> 	Is this really true?  All of the ports listed above are used by
> 	LAN protocols that were never intended to communicate directly
> 	across backbone networks -- that's why VPNs were invented.

and people use them all the time across the real Internet :( It's dumb, we
can argue about it's 'correctness' or 'localness' or whatever until we are
blue in the face, but people still do it.

>
> 	Or, is your argument that some system somewhere MIGHT ignore the
> 	offical port numbers allocated by IANA and try to pass some
> 	other kind of traffic there instead?
>

Certainly, ssh over tcp/80 is common, other protocols can become agile as
well... people SHOULD use the IANA port numbers, in practice they don't
always abide by them :(

> > Perhaps set the rules to permit and log first, let it run for awhile
> > and then see what you'll be missing.
>
> 	Yep, this is always good advice.  But don't give up just because
> 	of some naysayers rolling out the usual FUD.  In the real world,
> 	security for the many outweighs the extremely unlikely edge cases
> 	of the few.
>

Or... use a system where your users can 'subscribe' to a 'better Internet'
(define 'better Internet' as you like)



More information about the NANOG mailing list