Home page logo
/

nanog logo nanog mailing list archives

Re: What do you want your ISP to block today?
From: Ray Wong <rayw () rayw net>
Date: Sat, 30 Aug 2003 12:13:45 -0700


On Sat, Aug 30, 2003 at 02:53:46PM -0400, Valdis.Kletnieks () vt edu wrote:
On Sat, 30 Aug 2003 14:09:40 EDT, Joe Abley said:
That won't save them when the time required to download the patch set 
is an order of magnitude greater than the mean time to infection.

This, in fact, is the single biggest thorn in our side at the moment. It's hard
to adopt a pious "patch your broken box" attitude when the user can't get it
patched without getting 0wned first...

how about ACLing them?

upstream from customer:
permit udp <customer> <ISP's nameservers> port 53
permit tcp <customer> <windowsupdaterange> port 80(?)

for as much of the windows update range as can be found.  Since they've
recently akamai'zed, this is somewhat predictable.

Downstream, you can either setup stateful, or just be lazy and hope that
allowing estab flag is enough...

ACL can be either templated or genericized for the OS.  (replacing
<customer> with any means the customer pvc (assuming DSL) can only
hit microsoft regardless of spoofing.  Similar ACLs can be setup
for Solaris, OSX, even various flavors of linux.  being able to at
least semi-automate router config changes is a requisite, but not
insurmountable.

This will, no doubt, increase support calls.  How much compared to a
pervasive work is left as an exercise to the reader.



-- 

Ray Wong
rayw () rayw net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]