Re: Access Lists for Subscriber facing ports?

[Mike <mike-nanog () tiedyenetworks com>]

On 03/27/2014 05:44 AM, Shawn L wrote:
> With all of the new worms / denial of service / exploits, etc. that are
> coming out, I'm wondering what others are using for access-lists on
> residential subscriber-facing ports.
>
> We've always taken the stance of 'allow unless there is a compelling reason
> not to', but with everything that is coming out lately, I'm not sure that's
> the correct position any more.
As a residential ISP, we have seen quite a lot of this in terms of both 
compromised customer computers spewing spam and ddos, as well as 
compromised customer routers participating in ddos attacks as well as 
dns redirection exploits for phishing and other purposes. I too am an 
advocate of staying out of the way as much as possible, but I've come 
around to realize that the average customer NEEDS to be protected 
against the consequences of their ignorance, MORE than they need the 
freedom to run a publicly accessible dns or ntp server.  We now have a 
default access list in place which locks down subscriber ports and 
prevents them from being a server on commonly exploited services like 
dns,ntp,smtp and so forth. The average customer neither knows nor cares, 
and suffers absolutely nothing because of it. What tipped it over for me 
was a rash of dns changers that exploited unknown to us default 
credentials in a number of subscriber modems, causing no end of 
customers who secretly depended on a set of DNS resolvers controlled by 
attackers that were performing poorly and resulting in 'why is it slow?' 
calls to my support staff. These devices should never have internet 
facing management, but they do and they did. I should also say that the 
acl's are also easily removable for any customer who asks. We don't make 
a big production out of it or anything, we just put the flag on their 
account and thats that.

Mike-