nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Customer-facing ACLs

From: Robert Beverly <rbeverly () rbeverly net>
Date: Fri, 7 Mar 2008 15:35:27 -0500

On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:

What kind of customer-facing filtering do you do (ingress and egress)? 
This of course is dependent on the type of customer, so lets assume 
we're talking about an average residential customer.

...

As part of a recent measurement project, we estimate the prevalence
of ingress and egress blocking (though under the guise of neutrality).
For customer facing filters, we leverage protocols which provide 
port-specific redirects, e.g. HTTP, Gnutella, etc.  For traffic
toward customers, we use port-specific tcptraceroutes.  Some published
data for the curious:
  http://ana.csail.mit.edu/rsp/

Reader's digest summary: NetBIOS ports (and the innocent profile
service) 135-139 are among the most frequently blocked, along
with SMTP, POP3 and filters that have stuck around due to various
worms such as MS-SQL.  That said, around 94% of the 16bit port
space was unblocked by any network.

Curious to other's answer to this high-level question -- and the
more mundane question of filter maintenance.  

rob
Previous By Date Next
Previous By Thread Next

Current thread: