Criminals, The Network, and You [Was: Something Else]
sean at donelan.com
Thu Sep 20 17:31:41 UTC 2007
On Wed, 19 Sep 2007, Rich Kulawiec wrote:
> in the logs for days/weeks/months. This suggests to me that Cox
> is actually paying attention to abuse outbound from their network
> and is either disconnecting or quarantining hosts which emit it.
Its nice to see Cox getting some praise for a change. Last month people
were castigating it for being too agressive at trying to block Bots.
It seems like half the net is always criticizing ISPs for doing
too little and half the net is always criticizing ISPs for doing
Cox blocks a lot of ports on its network (25, 80, 135-139, 445, 1900,
1433, 1434, 1900, subseven ports); blackholes networks and DNS names;
firewall software that blocked sites with bad TCP software stacks such
as Craigslist; and so on. Some people think Cox is being pro-active
on the security front; other people think Cox is violating a sacred
trust. ISPs are pretty much just damned.
Why should an network user have to petition his or her ISP to authorize
their use of a valid network protocol? Shouldn't application
authorization occur at the application level instead of relying on
the equivalent of .rlogin network-level checks.
Companies like DynDNS show there is user demand to operate their own
servers (including P2P servers, mail servers, web servers, dns servers,
etc) on dynamic IP addresses without needing a special "static" IP address
or different in-addr.arpa name.
With Fast-Flux, it looks like the next network port that should be
blocked on broadband/dialup connections is DNS tcp/udp 53.
> or multiple of the above (as is the case most of the time), then it's
> very, very unlikely that refusal of the traffic constitutes a FP.
Until a false positive happens. I see 1-2 false positives a year
using checks for "generic-looking" in-addr.arpa names; and a few more
false positives for IP addresses without in-addr.arpa names.
Nevertheless I still continue to use those checks because the false
positive rate is below my pain threshold. But I don't pretend it never
happens or may not be a concern to someone else.
I also almost never get a valid e-mail to my postmaster account, just
spam; but some people still think every mail server should accept mail
to the postmaster account anyway no matter how rarely it gets legitimate
email. They even set up RBLs of mail servers without postmaster accounts.
Maybe we need a RBL of mail servers that don't accept mail from generic
in-addr.arpa or dynamic IP addresses.
More information about the NANOG