FBI tells the public to call their ISP for help

Jack Bates jbates at brightok.net
Thu Jun 14 14:23:54 UTC 2007

Sean Donelan wrote:
> Since many Microsoft patches are only legally available via the 
> Internet, and an ISP can not predict which servers Microsoft will use to 
> distribute Microsoft patches, ISPs must enable essentially full Internet 
> access which includes access for most worms.

May I recommend developing an in house method for allowing the customer only 
access to your servers (web, dns, proxy, etc), and then apply filters for 
everything else except for tcp/80. If you wanted to be additionally paranoid, 
you could even allow only established tcp/80 connections back to the customer.

Once updated, customer could establish contact to have filters removed, or an 
automated web process you be created.

It's a ton of work, and there are any number of ways to do it. A lot depends on 
your network. It can be done, though.


More information about the NANOG mailing list