zotob - blocking tcp/445

• Previous message (by thread): zotob - blocking tcp/445
• Next message (by thread): zotob - blocking tcp/445
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I may be off base here.  Can't an ips look at the traffic; say on 443 
and figure out whether the traffic is malicious or not?  If so then let 
it filter it.  I know IPS's aren't perfect, but, i would prefer this 
router be taken, if available and sensible including network outage or 
DDOS, than a hard block.  A quick block to mitigate and then an IPS rule 
installed AFTER through investigation of the traffic could lessen the 
load and maybe eliminate the malicious traffic without having to use a 
hard block.  I know most here prefer not to..i am not saying this is a 
let's block is all thread, just trying to throw out something i do not 
see being discussed.

Erik Amundson wrote:
> I've always been kind of conflicted with this issue.  I mean, providers
> blocking traffic at all.
> 
> On the one hand, I'm a corporate customer, and if I'm being DOSed or
> infected, I would want to be able to call my ISP and have it blocked.
> 
> On the other hand, I truly feel that I pay my ISPs to pass traffic, not
> block it.
> 
> I guess it only bugs me when something is blocked and I didn't even ask
> for it to be blocked...and then other stupid things are seeping through,
> but are not blocked even when I ask!
> 
> If ISPs really wanted to make the Internet better for Corporate America,
> I guess they'd unplug most of Asia...not block a port here and there
> (but that isn't exactly acceptable).
> 
> Anways, like I said, I'm conflicted...I change my mind every now and
> then because both arguments make logical sense.
> 
> - Erik
> 
> 
> 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Gadi Evron
> Sent: Tuesday, August 16, 2005 12:58 AM
> To: Christopher L. Morrow
> Cc: nanog at merit.edu
> Subject: Re: zotob - blocking tcp/445
> 
> 
> [snip arguments]
> 
> 
>>Do not become the internet firewall for your large customer base... 
>>it's bad.
>>
> 
> 
> Okay, so please allow me to alter the argument a bit.
> 
> Say we agreed on:
> 1. Security is THEIR (customers') problems, not yours.
> 2. You are not the Internet's firewall.
> 
> That would mean you would still care about:
> 1. You being able to provide service.
> 2. Your own network being secure (?)
> 
> In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. 
> It can easily become an issue of my network staying alive.
> 
> Blocking that one port then might be a viable solution to get a handle
> on things and calm things down.
> 
> Naturally though you are right again, it is a case-by-case issue and can
> not be discussed in generalities.
> 
> 	Gadi.
> .
> 

-- 
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

-- carpe ductum -- "Grab the tape"
CDTT (Certified Duct Tape Technician)

Linux user #322099
Machines:
206822
256638
276825
http://counter.li.org/

• Previous message (by thread): zotob - blocking tcp/445
• Next message (by thread): zotob - blocking tcp/445
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]