Re: botted hosts

[Suresh Ramasubramanian <ops.lists () gmail com>]

On Apr 4, 2005 10:40 AM, Sean Donelan <sean () donelan com> wrote:
> Why does anyone accept SMTP conenctions from known "dynamically assigned"
> addresses?  DUL, QIL, etc should drop all those connections on the floor.

Consider, if you will, the UNKNOWN dynamic IP ranges

Neither DUL, nor SORBS DUHL, nor the several other lesser known
variants can claim to do even a fraction of a perfect job - and
providers who do stuff like happily mix static IP and dynamic IP
netblocks, maintain vague or inconstant rDNS or even no rDNS at all
for these, etc don't help at all, leading to the usual funny situation
of someone's static IP dsl getting blocked as dynamic [but that's
another story altogether]

And even with port 25 filtering, if it is one way only, people can use
so-called triangular routing to spoof IP packets, using botnet
controled hosts on dialups, and a master control center with a fat
pipe + spamware, and a bank of POTS lines.

Port 25 both ways, and then uRPF to stop source address spoofing ..

> Does port 25 blocking actually make a difference?  Any public data from
> before and after?  Or does it just annoy people, cause problems and not
> fix anything?

The last time this thread came up on nanog (I think you were the one
to ask this question then as well) I do belive people came up to say
"yes, it does make a difference"

That said, Joe St.Sauver put it fairly well in his presentation at
maawg san diego, when he said it is cough sirup for lung cancer, and
what you need along with the cough sirup of port 25 filtering, is some
stronger measures to locate and take down botted hosts, which of
course can be used for nastier things (DDoS botnets for example) as
well, things that do just fine without port 25.

-srs
-- 
Suresh Ramasubramanian (ops.lists () gmail com)