mailing list archives
Re: ISPs are asked to block yet another port
From: "Christopher L. Morrow" <chris () UU NET>
Date: Mon, 23 Jun 2003 19:49:09 +0000 (GMT)
On Mon, 23 Jun 2003, Paul Vixie wrote:
chris () UU NET ("Christopher L. Morrow") writes:
ISP's could block all ports and save everyone the hassle of having an
Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt
2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
indeed it does... breaking the network with acls often gets me in trouble
:) Really, there are always better solutions than mass filtering something
take for example port-25 blocking. i've been getting relayprobed all
weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
by sending their SYN's through a provider who shall remain nameless
(except that chris morrow happens to work there :-)) using at&t IP
source addresses. i guess they multihomed their host and bind()'d the
outbound socket to one interface even while making sure the routing
used a different interface. high rocket science? NOT.
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix
for it, port 25 in and out filtering for radius customers. The 'problem'
as I understand it, is that the change would be a contract change so it
has to wait for expiration of said contract to be enforced... :( Its a
sucky world sometimes. Perhaps Paul complained to
ATT/<other-unnamed-provider> with logs and such? :)
so if you're going to block tcp/25 SYNs on outbound, please make sure
you block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
Yup, this is in the works also... and yes, someone realized quickly enough
that the one-way filtering was dumb. oh well. live and learn!
Re: ISPs are asked to block yet another port Niels Bakker (Jun 23)