Criminals, The Network, and You [Was: Something Else]

Sean Donelan sean at
Thu Sep 20 17:31:41 UTC 2007

On Wed, 19 Sep 2007, Rich Kulawiec wrote:
> in the logs for days/weeks/months.  This suggests to me that Cox
> is actually paying attention to abuse outbound from their network
> and is either disconnecting or quarantining hosts which emit it.

Its nice to see Cox getting some praise for a change.  Last month people 
were castigating it for being too agressive at trying to block Bots.
It seems like half the net is always criticizing ISPs for doing
too little and half the net is always criticizing ISPs for doing
too much.

Cox blocks a lot of ports on its network (25, 80, 135-139, 445, 1900,
1433, 1434, 1900, subseven ports); blackholes networks and DNS names;
firewall software that blocked sites with bad TCP software stacks such
as Craigslist; and so on.  Some people think Cox is being pro-active
on the security front; other people think Cox is violating a sacred
trust.  ISPs are pretty much just damned.

Why should an network user have to petition his or her ISP to authorize
their use of a valid network protocol?  Shouldn't application
authorization occur at the application level instead of relying on
the equivalent of .rlogin network-level checks.

Companies like DynDNS show there is user demand to operate their own
servers (including P2P servers, mail servers, web servers, dns servers, 
etc) on dynamic IP addresses without needing a special "static" IP address 
or different name.

With Fast-Flux, it looks like the next network port that should be 
blocked on broadband/dialup connections is DNS tcp/udp 53.

> or multiple of the above (as is the case most of the time), then it's
> very, very unlikely that refusal of the traffic constitutes a FP.

Until a false positive happens.  I see 1-2 false positives a year
using checks for "generic-looking" names; and a few more 
false positives for IP addresses without names. 
Nevertheless I still continue to use those checks because the false 
positive rate is below my pain threshold.  But I don't pretend it never 
happens or may not be a concern to someone else.

I also almost never get a valid e-mail to my postmaster account, just
spam; but some people still think every mail server should accept mail
to the postmaster account anyway no matter how rarely it gets legitimate
email.  They even set up RBLs of mail servers without postmaster accounts. 
Maybe we need a RBL of mail servers that don't accept mail from generic or dynamic IP addresses.

More information about the NANOG mailing list