Re: Automatic shutdown of infected network connections

[Nathan E Norman <nnorman () incanus net>]

On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote:
> On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
[ Jonathan said "we are filtering and rate limiting at the modem" ...  ]

> > On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
> > > Why in the world would you do that? the DOCSIS specification allows for
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > filtering rules at the CPE, which means you could simply block icmp echo
> > > and ports 135-139+445 directly at their home network, causing no load 
> > > whatsoever on your network, _and_ no more infected boxes (even at 56k).
> >
> > The modem _is_ the CPE.  There's no load on the network; just CPU on
> > the modem.  "modem config" != "CMTS config".
>
> I think that's exactly what I said, perhaps you misread my comment.

What you said is highlighted above.  I don't think I misread it ... I
may have misunderstood what you meant.  Did you intend to take issue
_only_ with rate limiting, as opposed to filtering, or are you taking
issue with the broad filtering described, or both?  i'm trying to
parse "Why in the world ..." :-)
 
> My point was that you're rate limiting and filtering customers for no 
> reason when you have the ability to filter the attack vectors in a very
> effective and 'clean' way. You should consider leaving those ports filtered
> seeing how they're the #1 way for windows systems to be infected/hijacked.

The provider in question has a long-standing tradition of providing
unfiltered access.  Perhaps recent events will cause them to change
their policy as you suggest.  Personally I think it's a great idea.

[ I'm no longer an employee of said provider ]

Best regards,

-- 
Nathan Norman - Incanus Networking mailto:nnorman () incanus net
  This message cannot be considered spam, even though it is.  Some
  law that never was enacted says so.
          -- Arkadiy Belousov