Re: zotob - blocking tcp/445

[routerg <routerg () gmail com>]

On 8/18/05, James Baldwin <jbaldwin () antinode net> wrote:
> On Aug 17, 2005, at 11:03 PM, routerg wrote:
>
> > What if you are a transit provider that serves ebay, yahoo, and/or
> > google and the worm is propogating over TCP port 80?
>
> No one is suggesting that anyone suspend reason when making a
> decision to temporarily, or permanently for that matter, block
> packets with a specific port setting. It is a unreasonable stretch to
> imagine a transit provider, serving Ebay, Yahoo, and/or Google, who
> will have a staff unreasonable enough to block TCP/80 to halt a virus
> from spreading.

I was only trying to make the point that it would be extremely
disruptive for enterprise class providers to filter ports all over the
place, regardless of the port number.  Today, the carrier class
providers are meant to proivde a routing interface to the network.


> > Where will the filtering end?
>
> The "slippery slope" defense has never stood in logical arguments, I
> don't understand why it should stand anywhere else. Once again, no on
> is asking anyone to suspend reason when making decisions. No on is
> making the statement "You must block ports used by virii of any
> magnitude, permanently without thought or investigation.". It was
> suggested that for outbreaks of significant size and severity,
> networks should issue temporary blocks on ports with little
> legitimate use. Expanding that suggestion to encompass more is being
> disingenuous to the original intent of the suggester
>
> > Is your NSP/ISP responsible for filtering virii, spam, phishing?
>
> ISPs are held accountable by their customers, whether rightfully or
> wrongfully, for virii, spam, and phishing. Customers expect their ISP
> to investigate, filter, and otherwise secure their connection.

I would agree with this if we are talking about consumer markets. 
Most cable/DSL providers have policies in place so that their
customers don't use the consumer class services to offer services, in
which case this type of mitigation is acceptable.  However, I've only
ever seen a handfull of requests from enterprise class customers
wanting their network provider to filter spam on their behalf. 
Usually they just want DoS attack traffic stopped upstream.  They
don't want their provider monitoring the contents of their packets.

> We are held accountable for the traffic we source. I feel comfortable
> exercising some caution with traffic which is destined to me,
> especially if it is going to create an issue where other networks
> will hold me accountable for the fallout.
>
> As someone eluded to earlier in the thread, customers expect to
> receive the traffic they want, and they expect their provider to
> prevent that which they did not request. Problems, support calls, and
> differences of opinion happen on the edge where those desires are not
> codified.