Home page logo

nanog logo nanog mailing list archives

RE: Port blocking last resort in fight against virus
From: Mark Segal <MSegal () Corporate FCIBroadband com>
Date: Tue, 12 Aug 2003 13:39:41 -0400

Well after my port blocking escapades of yesterday we have got one
complaint.. Someone who was selling exchange based mailboxes.  So his /26 is
now a permit rule in the acl.. But the blocking, has cut down on our
infection rate significantly. (I am seeing a lot of inbound, but not a lot
of outbound traffic to 135).


Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 

Futureway Communications Inc. is now FCI Broadband

-----Original Message-----
From: McBurnett, Jim [mailto:jmcburnett () msmgmt com] 
Sent: August 12, 2003 12:40 PM
To: Jack Bates; Mans Nilsson
Cc: nanog () merit edu
Subject: RE: Port blocking last resort in fight against virus

Jack, et al.
As a larger than average end user and what could
be called a small ISP,  I really can not image 
legitimate traffic on 135..
who in there right mind would pass NB traffic in the wild?
I dunno, may it is just that Old military security mindset 
creeping into my brain housing group.

Can someone enlighten me? What is legitimate 136 traffic?


-----Original Message-----
From: Jack Bates [mailto:jbates () brightok net]
Sent: Tuesday, August 12, 2003 12:31 PM
To: Mans Nilsson
Cc: nanog () merit edu
Subject: Re: Port blocking last resort in fight against virus

Mans Nilsson wrote:

Your chosen path is a down-turning spiral of kludgey dependencies, 
where a host is secure only on some nets, and some nets can't cope 
with the load of all administrative filters (some routers tend to take 
port-specific filters into slow-path). That way lies madness.

Secure? Who's talking about secure? I'm talking about trash. Not 
blocking the port with a large group of infected users means that your 
network sends trash to other people's networks. Those networks may or 
may not have capacity to mean your network's trash.

Temporarily blocking 135 is not about security. A single infection 
within a local net will infect all vulnerable systems within that local 
net. A block upstream will not save local networks from cross infecting. 
However, it does stop your network from sending the trash out to other 
networks which may have smaller capacities than your network does.

Of course, perhaps a good neighbor doesn't really care about other 
people's networks? Perhaps there is no such thing as a good neighbor. 
It's kill or be killed, and if those other networks can't take my user's 
scanning them, then tough!

There is legitimate traffic on 135. All users I've talked to have been 
understanding in a short term block of that port. They used alternative 
methods. I have a lot of valid traffic still cranking out the other 
Microsoft ports.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]