Re: zotob - blocking tcp/445

[Gadi Evron <ge () linuxbox org>]

> and again I point to the above rules. What your network can't handle
> 'scanning wise' is completely different from what the network I work on
> can handle.
>
> If your network is being jeopardized by some level of scanning they fix
> that, but that is a local decision. Blindly stating "large isps filter
> port X" is just disingenuous, there are certainly cases as exceptions,
> most of which end with the ISP in question saying: "Wow that was a lot
> more painful than we thought originally:("

I've been following the "don't be the Internet's firewall" thing, but I 
lost you now.

Quarantine works. Sorry, it does.

If your network can handle everything, that's great.

I have seen cases where people blocked entire countries for mitigation 
purposes, not to mention entire ISP's. Is that wise and/or good?

It worked for them for the time.

The point is reacting to a given situation. A reason not to do something 
would NOT be "because then people will not patch". I am sorry.

Nobody is arguing that the philosophy is bad. We even agree with you.
Where I strongly disagree is canceling this method out on ANY level, 
because that's just plain wrong.

It's simple, it works, and yesterday it worked for several "big ISP's". 
Would these ISP's generally block port 445? How is that relevant?

They just prevented their entire user-base from getting infected and 
their network from being DDoS'd and soon after becoming a DDoS source, 
by going the KISS way and reacting.

        Gadi.