Home page logo

nanog logo nanog mailing list archives

Re: What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?)
From: Matthew Palmer <mjp16 () ieee uow edu au>
Date: Sun, 31 Aug 2003 12:21:09 +1000 (EST)

On Sat, 30 Aug 2003, Sean Donelan wrote:

The recurring theme is: I don't want my ISP to block anything I do, but
ISPs should block other people from doing things I don't think they
should do.

That's about my position, I guess.  <g>  There's a difference between
naively blocking ports or screwing with packets, though, and blocking known
dodgy behaviour (spoofed source addresses, for one).  Yes, port 135 is a
known vector, and so is 4444 now, but they have their legitimate uses.  If
you have evidence that someone is doing something dodgy with them, then you
should shut them down.  But spanking everyone because some people
can't/won't take responsibility for their systems reeks of schoolroom
justice ("We're all going to sit here until the guilty party owns up").

So how long is reasonable for an ISP to give a customer to fix an
infected computer; when you have cases like Slammer where it takes only
a few minutes to infect the entire Internet?  Do you wait 72 hours?
or until the next business day? or block the traffic immediately?

Immediately.  The ISP is, IMO, responsible for the traffic of those they
connect to the Internet.  Maybe I'm just showing my old-fashioned
values there, though.

Or some major ISPs seem to have the practice of letting the infected
computers continuing attacking as long as it doesn't hurt their

"Welcome to my null0, O provider of loose morals".

#include <disclaimer.h>
Matthew Palmer, Geek In Residence

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]