nanog mailing list archives
Re: Blocking port 135?
From: Jack Bates <jbates () brightok net>
Date: Sat, 02 Aug 2003 08:09:47 -0500
Mans Nilsson wrote:
* If you block and interfere, you are responsible for what your customer does. You Do Not Want That.
Depends on why you block and interfere. Intention plays a large part according to law. In this case, it's to protect the network infrastructure from a high probability outage and overall security of the customer's box is inconsequential. Some other things following this intent; filtering of problem networks during attacks, executable stripping or virus scanning (we don't warrant you won't get a virus, but minimize the overall virus throughput in our network to maintain operational mail servers), and suspension of insecure systems or spammers (primary goal is to keep the entire network from being blacklisted publicly or privately, secondary goal is good neighbor policy).
* If my home ISP tried this on me, I'd take them to the consumer protection authority and have them explain why they are calling their filtered service "Internet access".
Many AUP/TOS aggreements have interesting no-server clauses. Blocking 135 inbound to those systems would not breach "Internet access" as the customer shouldn't have a server running on that port. The lack of <1024 filtering on such AUP/TOS services is courtesy really. If it's not a problem to the network, the ISP generally doesn't care.
Instead, I'd suggest this:
You fogot to mention:- Setup detection systems and perform immediate contact on accounts that trigger the system to determine if it's legitimate or not. If not, bye bye.
Of course, this only stops outbound issues. It does nothing to prevent inbound, and in the event of a worm, you'd better make sure you have double and triple methodologies in place to stabalize your network. I received a lot of reports on the issues people had with Saphire. What took me less than a few minutes took some hours just to access their equipment. Suggestion? Prewrite the lists and have them in place and know ahead of time how you'll activate them when the network is under extreme load.
-Jack
Current thread:
- RE: Blocking port 135?, (continued)
- RE: Blocking port 135? Jason Robertson (Aug 01)
- Re: Blocking port 135? Bruce Pinsky (Aug 01)
- Re: Blocking port 135? Jason Slagle (Aug 02)
- RE: Blocking port 135? Bob German (Aug 02)
- Re: Blocking port 135? Crist Clark (Aug 01)
- Re: Blocking port 135? Justin Shore (Aug 03)
- Re: Blocking port 135? Jared Mauch (Aug 01)
- Re: Blocking port 135? Stephen Sprunk (Aug 01)
- RE: Blocking port 135? Chris Johnston (Aug 01)
- Re: Blocking port 135? Mans Nilsson (Aug 02)
- Re: Blocking port 135? Jack Bates (Aug 02)
- Re: Blocking port 135? Mans Nilsson (Aug 02)
- Re: Blocking port 135? Sean Donelan (Aug 02)
- Re: Blocking port 135? Christopher L. Morrow (Aug 02)
- Re: Blocking port 135? Jack Bates (Aug 02)
- Re: Blocking port 135? Valdis . Kletnieks (Aug 03)