nanog mailing list archives
Re: Criminals, The Network, and You [Was: Something Else]
From: Sean Donelan <sean () donelan com>
Date: Thu, 20 Sep 2007 13:31:41 -0400 (EDT)
On Wed, 19 Sep 2007, Rich Kulawiec wrote:
in the logs for days/weeks/months. This suggests to me that Cox is actually paying attention to abuse outbound from their network and is either disconnecting or quarantining hosts which emit it.
Its nice to see Cox getting some praise for a change. Last month people were castigating it for being too agressive at trying to block Bots.
It seems like half the net is always criticizing ISPs for doing too little and half the net is always criticizing ISPs for doing too much. Cox blocks a lot of ports on its network (25, 80, 135-139, 445, 1900, 1433, 1434, 1900, subseven ports); blackholes networks and DNS names; firewall software that blocked sites with bad TCP software stacks such as Craigslist; and so on. Some people think Cox is being pro-active on the security front; other people think Cox is violating a sacred trust. ISPs are pretty much just damned. Why should an network user have to petition his or her ISP to authorize their use of a valid network protocol? Shouldn't application authorization occur at the application level instead of relying on the equivalent of .rlogin network-level checks. Companies like DynDNS show there is user demand to operate their ownservers (including P2P servers, mail servers, web servers, dns servers, etc) on dynamic IP addresses without needing a special "static" IP address or different in-addr.arpa name.
With Fast-Flux, it looks like the next network port that should be blocked on broadband/dialup connections is DNS tcp/udp 53.
or multiple of the above (as is the case most of the time), then it's very, very unlikely that refusal of the traffic constitutes a FP.
Until a false positive happens. I see 1-2 false positives a yearusing checks for "generic-looking" in-addr.arpa names; and a few more false positives for IP addresses without in-addr.arpa names. Nevertheless I still continue to use those checks because the false positive rate is below my pain threshold. But I don't pretend it never happens or may not be a concern to someone else.
I also almost never get a valid e-mail to my postmaster account, just spam; but some people still think every mail server should accept mail to the postmaster account anyway no matter how rarely it gets legitimateemail. They even set up RBLs of mail servers without postmaster accounts. Maybe we need a RBL of mail servers that don't accept mail from generic in-addr.arpa or dynamic IP addresses.
Current thread:
- Re: Criminals, The Network, and You [Was: Something Else] Stephen Satchell (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Andrew Sullivan (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Steven Champeon (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)
- RE: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 12)
- Re: Criminals, The Network, and You [Was: Something Else] Rich Kulawiec (Sep 18)
- Re: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 18)
- RE: Criminals, The Network, and You [Was: Something Else] michael.dillon (Sep 19)
- Re: Criminals, The Network, and You [Was: Something Else] Rich Kulawiec (Sep 19)
- Re: Criminals, The Network, and You [Was: Something Else] Sean Donelan (Sep 20)
- Re: Criminals, The Network, and You [Was: Something Else] Rich Kulawiec (Sep 22)
- RE: Criminals, The Network, and You [Was: Something Else] Jason J. W. Williams (Sep 12)