ISP port blocking practice

Lee Riemer lriemer at
Fri Oct 23 21:19:23 UTC 2009

Isn't blocking any port against the idea of Net Neutrality?

Justin Shore wrote:
> Owen DeLong wrote:
>> Blocking ports that the end user has not asked for is bad.
> I was going to ask for a clarification to make sure I read your 
> statement correctly but then again it's short enough I really don't 
> see any room to misinterpret it.  Do you seriously think that a 
> typical residential user has the required level of knowledge to call 
> their SP and ask for them to block tcp/25, tcp & udp/1433 and 1434, 
> and a whole list of common open proxy ports?  While they're at it they 
> might ask the SP to block the C&C ports for Bobax and Kraken.  I'm 
> sure all residential users know that they use ports 447 and 13789.  If 
> so then send me some of your users.  You must be serving users around 
> the MIT campus.
>> Doing it and refusing to unblock is worse.
> How you you propose we pull a customer's dynamically-assigned IP out 
> of a DHCP pool so we can treat it differently?  Not all SPs use 
> customer-facing AUTH.  I can think of none that do for CATV though I'm 
> sure someone will now point an oddball SP that I've never heard of 
> before.
>> Some ISPs have the even worse practice of blocking 587 and a few even
>> go to the horrible length to block 465.
> I would call that a very bad practice.  I haven't personally seen a 
> mis-configured MTA listening on the MSP port so I don't think they can 
> make he claim that the MSP port is a common security risk.  I would 
> call tcp/587 a very safe port to have traverse my network.  I think 
> those ISPs are either demonstrating willful ignorance or marketing 
> malice.
>> A few hotel gateways I have encountered are dumb enough to think they 
>> can block TCP/53
>> which is always fun.
> The hotel I stayed in 2 weeks ago that housed a GK class I took had 
> just such a proxy.  It screwed up DNS but even worse it completely 
> hosed anything trying to tunnel over HTTP.  OCS was dead in the 
> water.  My RPC-over-HTTP Outlook client couldn't work either.  
> Fortunately they didn't mess with IPSec VPN or SSH.  Either way it 
> didn't matter much since the network was unusable (12 visible APs from 
> room, all on overlapping 802.11b/g channels).  The average throughput 
> was .02Mbps.
>> Lovely for you, but, not particularly helpful to your customers who 
>> may actually want to use some of those services.
> I take a hard line on this.  I will not let the technical ignorance of 
> the average residential user harm my other customers.  There is 
> absolutely no excuse for using Netbios or MS-SQL over the Internet 
> outside of an encrypted tunnel.  Any user smart enough to use a proxy 
> is smart enough to pick a non-default port.  Any residential user 
> running a proxy server locally is in violation of our AUP anyway and 
> will get warned and then terminated.  My filtering helps 99.99% of my 
> userbase. The .001% that find this basic security filter intolerable 
> can speak with their wallets.  They can find themselves another 
> provider if they want to use those ports or pay for a business circuit 
> where we filter very little on the assumption they as a business have 
> the technical competence to handle basic security on their own.  (The 
> actual percentage of users that have raised concerns in the past 3 
> years is .0008%.  I spoke with each of them and none decided to leave 
> our service.)
> We've been down the road of no customer-facing ingress ACLs.  We've 
> fought the battles of getting large swaths of IPs blacklisted because 
> of a few users' technical incompetence.  We've had large portions of 
> our network null-routed in large SPs.  Then we got our act together 
> and stopped acting like those ISPs who we all love to bitch about, 
> that do not manage their customer traffic, and are poor netizens of 
> this shared resource we call the Internet.  Our problems have all but 
> gone away. Our residential and business users no longer call in on a 
> daily basis to report blacklisting problems.  We no longer have 
> reachability issues with networks that got fed up with the abuse 
> coming from our compromised users and null-routed us.  I stand by our 
> results as proof that what we're doing is right.  Our customers seem 
> to agree and that's what matters.
> Justin

More information about the NANOG mailing list