nanog mailing list archives
Re: ISP port blocking practice
From: Jack Bates <jbates () brightok net>
Date: Thu, 02 Sep 2010 23:08:54 -0500
Patrick W. Gilmore wrote:
We should be seeking to stop damaging the network for ineffective anti spam measures (blocking outbound 25 for example) rather than to expand this practice to bidirectional brokenness.Since at least part of your premise ('ineffective anti-spam measures') has been objectively proven false to fact for many years, I guess we can ignore the rest of your note.
He's right though. tcp/25 blocks are a hack. Easy man's way out. Honestly, it'd be nicer if edge or even core systems could easily handle higher level filtering for things like this. There's plenty of systems that watch traffic patterns and issue blocks based on those patterns.
I was working with a hotel today concerning just that. They were only doing a generic 500 connections in x period, block mac. They are now adding a tighter rule for 15 tcp/25 connections in 1 minute, block tcp/25 (or mac, doesn't matter to me). Of course, we didn't see valid reasons for mail blasts to be leaving a hotel and 15/minute is plenty of grace for a normal user. At an ISP level, it would work fine, though methods for determining exceptions would have to be planned (though that could easily be handled by customer classifications like everything else).
Also, just so everyone doesn't think I'm in favor of "damaging" the network, I would much prefer a completely open 'Net. Who wouldn't? Since that is not possible, we have to do what we can to damage the network as little as possible. Port 25 blocking is completely unnoticeable to something on the order of 5-nines worth of users, and the rest should know how to get around it with a minimum of fuss (including things like "ask your provider to unblock" in many cases).
Blocking inbound vs outbound is another story, though. Getting people to implement spoof protections is more useful. I'd be interested to see your data for concluding 5-nines of users, or did you just make that up?
Jack
Current thread:
- Re: ISP port blocking practice, (continued)
- Re: ISP port blocking practice Zhiyun Qian (Sep 02)
- Re: ISP port blocking practice Suresh Ramasubramanian (Sep 02)
- Re: ISP port blocking practice Zhiyun Qian (Sep 02)
- Re: ISP port blocking practice Zhiyun Qian (Sep 02)
- Re: ISP port blocking practice Daniel Senie (Sep 02)
- Re: ISP port blocking practice William Herrin (Sep 03)
- Re: ISP port blocking practice Dobbins, Roland (Sep 03)
- Re: ISP port blocking practice Dobbins, Roland (Sep 03)
- Re: ISP port blocking practice Zhiyun Qian (Sep 02)
- Re: ISP port blocking practice Owen DeLong (Sep 02)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 02)
- Re: ISP port blocking practice Jack Bates (Sep 02)
- Re: ISP port blocking practice Franck Martin (Sep 02)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice Patrick W. Gilmore (Sep 03)
- Re: ISP port blocking practice Jack Bates (Sep 03)
- Re: ISP port blocking practice JC Dill (Sep 03)
- Re: ISP port blocking practice Randy Bush (Sep 03)
- Re: ISP port blocking practice Nick Hilliard (Sep 03)
- Re: ISP port blocking practice Owen DeLong (Sep 03)
- Re: ISP port blocking practice Curtis Maurand (Sep 03)
- Re: ISP port blocking practice Dobbins, Roland (Sep 03)