nanog mailing list archives
Re: Automatic shutdown of infected network connections
From: Nathan E Norman <nnorman () incanus net>
Date: Wed, 3 Sep 2003 10:12:16 -0500
On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote:
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
[ Jonathan said "we are filtering and rate limiting at the modem" ... ]
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:Why in the world would you do that? the DOCSIS specification allows for
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k).The modem _is_ the CPE. There's no load on the network; just CPU on the modem. "modem config" != "CMTS config".I think that's exactly what I said, perhaps you misread my comment.
What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse "Why in the world ..." :-)
My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked.
The provider in question has a long-standing tradition of providing unfiltered access. Perhaps recent events will cause them to change their policy as you suggest. Personally I think it's a great idea. [ I'm no longer an employee of said provider ] Best regards, -- Nathan Norman - Incanus Networking mailto:nnorman () incanus net This message cannot be considered spam, even though it is. Some law that never was enacted says so. -- Arkadiy Belousov
Current thread:
- Re: Automatic shutdown of infected network connections Jonathan Crockett (Sep 02)
- Re: Automatic shutdown of infected network connections Matthew S. Hallacy (Sep 03)
- Re: Automatic shutdown of infected network connections Nathan E Norman (Sep 03)
- Re: Automatic shutdown of infected network connections Matthew S. Hallacy (Sep 03)
- Re: Automatic shutdown of infected network connections Nathan E Norman (Sep 03)
- Re: Automatic shutdown of infected network connections Matthew S. Hallacy (Sep 03)
- Re: Automatic shutdown of infected network connections Nathan E Norman (Sep 03)
- Message not available
- Re: Automatic shutdown of infected network connections Nathan E Norman (Sep 03)
- Re: Automatic shutdown of infected network connections Matthew S. Hallacy (Sep 03)
- Re: Automatic shutdown of infected network connections Mike Tancsa (Sep 03)
- Re: Automatic shutdown of infected network connections Roland Perry (Sep 03)
- <Possible follow-ups>
- Re: Automatic shutdown of infected network connections Chris Lewis (Sep 03)