nanog mailing list archives
Re: BCP for ISP to block worms at PEs and NAS
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Sun, 17 Apr 2005 16:13:06 -0400
In message <20050417200030.GG1174 () arctic org>, "J.D. Falk" writes:
On 04/17/05, John Kristoff <jtk () northwestern edu> wrote:deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny tcp any any eq 445 deny udp any any eq 1026Similar as before, you are going to be removing some legitimate traffic.Is this really true? All of the ports listed above are used by LAN protocols that were never intended to communicate directly across backbone networks -- that's why VPNs were invented. Or, is your argument that some system somewhere MIGHT ignore the offical port numbers allocated by IANA and try to pass some other kind of traffic there instead?
The issue is client-side port numbers -- those aren't rules that block only inbound SYNs. That was clear from another paragraph of Kristoff's post: Whatever worm you're trying to mitigate above (sasser?), you will also be occasionally be taking out TCP sessions that happen to be using that port. Most commonly where one side uses 5554 as it's ephemeral port. The result will be intermittent, undiagnosed failures. "Why isn't that Internet reliable? I do the same thing twice in a row and the second time it fails." --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: BCP for ISP to block worms at PEs and NAS, (continued)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Kim Onnel (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Randy Bush (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Sean Donelan (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS J.D. Falk (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Steven M. Bellovin (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS John Kristoff (Apr 17)
- Re: BCP for ISP to block worms at PEs and NAS Christopher L. Morrow (Apr 17)