Home page logo
/

nanog logo nanog mailing list archives

Re: What do you want your ISP to block today?
From: Owen DeLong <owen () delong com>
Date: Sat, 30 Aug 2003 23:34:21 -0700




--On Saturday, August 30, 2003 8:18 PM +0200 Iljitsch van Beijnum <iljitsch () muada com> wrote:

On zaterdag, aug 30, 2003, at 18:54 Europe/Amsterdam, Owen DeLong wrote:

Christopher L. Morrow's mention of asymmetric routing for multihomed
customers is more to the point, but if we can solve this for all those
single homed dial, cable and ADSL end-users and not for multihomed
networks, I'll be very happy.

I happen to look alot like a single homed ADSL end
user at certain levels, but, I'm multihomed.  I'd be very annoyed if
my ISP started blocking things just because my traffic pattern didn't
look like what they expect from a single homed customer.

I'm sure knife salespeople find it extremely annoying that they can't
bring their wares along as carry-on when they fly. Sometimes a few people
have to be inconvenienced for the greater good.

In my opinion, this is a very unfortunate attitude largely based on FUD
and myth.  Apologies for the off-topicness of the following example,
but, having just been through this level of greater good, I hope it
will serve some positive purpose if people realize how ridiculous it
gets if you let this go.

Frankly, I think the level of absurdity that the TSA and HSA have taken
things to speaks for itself.  From May 21 of this year until August 1,
certain interpretations of our newfound greater good would have allowed
me to be classified as a terrorist and hauled off to prison.  Why?
Because on May 21, depending on your interpretation of the statutes,
my posession of an until then perfectly legal 2 pounds of black powder
or my posession of an until then perfectly legal Aerotech J-350 Ammonium
Perchlorate Composite Propellant rocket motor reload suddenly changed
from a perfectly legal hobby to an act of terrorism for anyone who did
not posess a Low Explosives User Permit from the USDOJ/BATFE.  What changed
on August 1?  I got my permit (finally) which I applied for in April.

The minor inconvenience involved in doing this consisted of:

        1.      $100 to the feds.
        2.      I had to file an FBI Fingerprint Card with the BATF
                +       $30 to get the fingerprinting done
                +       Took about 3 hours to track down the correct method of
                        getting the fingerprinting done and actually have
                        it done.  (BATF instructions didn't work and it turned
                        into a name-that-bureacracy trip through 5 different
                        agencies to find one that would do the fingerprinting
                        (no, the FBI will not)).
        3.      Federal Background Check
        4.      Essentially sign away my 4th amendment rights and grant
                the BATFE permission to inspect my home at any time.
        5.      Get a letter of agreement for contingency storage from at
                least one agency with a LEUP and a storage authorization
                (my LEUP is a non-storage LEUP).
        6.      I now need to keep records of all my rocket motor purchases,
                usages, storages, and other dispositions for 10 years.

The greater good accomplished:

        Any nutcase that wants to can still pay cash for all the ammonium
nitrate and diesel fuel he/she wants with no identification required, no
record of the transaction, and no permit required.

        Did I mention that the Oklahoma City Federal building has proven
that AN+Diesel does explode, while the NH state police explosives lab
has proven that APCP DOES NOT EXPLODE.

Sorry... I just don't see a greater good in forcing liability on ISPs
for forwarding IP datagrams with valid headers.

But, TCP to a port that isn't listening (or several ports that aren't
listening) _ARE_ what you are talking about blocking.  This is not a
good idea.

Why not? I think it's a very good idea. TCP doesn't work if you only use
it in one direction, so blocking this doesn't break anything legitimate,
but it does stop a whole lot of abuse. (Obviously I'm talking about the
case where the lack of return traffic can be determined with a modicum of
reliability.)

1.      Your assumption is false.  There are multiple diagnostic things
        that can be accomplished with what appears to be a single-sided
        TCP connection.

2.      I should be able to probe, portscan, or otherwise attack my own
        site from any location on the internet so long as I do not create
        a DOS or AUP violation on someone elses network that I have an
        agreement with.

3.      Fixing the end hosts will stop a lot more abuse than breaking
        the network will.

It should be possible to have a host generate special "return traffic"
that makes sure that stuff that would otherwise be blocked is allowed
through.

I don't think it's desirable or appropriate to have everyone
re-engineer
their hosts to allow monitoring and external validation scans to get
around your scheme for turning off services ISPs should be providing.

But then you don't seem to have any problems with letting through denial
of service attacks so I'm not sure if there is any use in even discussing
this with you. Today, about half of all mail is spam, and it's only
getting worse. If we do nothing, tomorrow half of all network traffic
could be worms, scans and DOS. We can't go on sitting on our hands.

I don't propose sitting on our hands.  I propose fixing the problem where
the problem is.  What you are proposing makes as much sense as locking up
all the yeast producers to cut down on drunk driving.  Sure, there are
fewer yeast producers than drunk drivers and they're in business, so they're
easier to find.  However, just because it's easier doesn't make it correct
or even logical.  Yes, this is an extreme example, but, other than degree
of separation, I don't see alot of difference in the approaches.

Fixing the edge is harder, but, it will yield better results.  Breaking
the core is easier, but, will yield lots of collateral damage and won't
necessarily do much more than create smarter worms.

Owen


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]