nanog mailing list archives
Re: ISP port blocking practice
From: Valdis.Kletnieks () vt edu
Date: Thu, 22 Oct 2009 13:33:17 -0400
On Thu, 22 Oct 2009 13:22:17 EDT, Zhiyun Qian said:
Hi all, What is the common practice for enforcing port blocking policy (or what is the common practice for you and your ISP)? More specifically, when ISPs try to block certain outgoing port (port 25 for instance), they could do two rules: 1). For any outgoing traffic, if the destination port is 25, then drop the packets. 2). For any incoming traffic, if the source port is 25, then drop the packets. Note that either of the rule would be able to block outgoing port 25 traffic since each rule essentially represent one direction in a TCP flow. Of course, they could apply both rules. However, based on our measurement study, it looks like most of the ISPs are only using rule 1). Is there any particular reason why rule 1) instead of rule 2)? Or maybe both?
Note that some spammers use assymetric routing with forged packets - they spew out a stream of crafted packets from a compromised machine, showing a different source IP. The claimed source IP is also under the spammer's control, and just basically has to catch the inbound SYN/ACK and forward it to the spam-sender (and, if wanted, sink the other ACKs and forward the SMTP replies from the server to the real sender). So you can have a big sending pipe that doesn't get ingress-filtered(*) sending the spam, and do the control from a throwaway that may have a small pipe. (*) Of course it's not ingress-filtered - if somebody is selling a spammer a big pipe for this, they can arrange to fail to filter. ;) The upshot is, of course, that you want to do (1) because you never actually see the (2) packets, they're going someplace else...
Attachment:
_bin
Description:
Current thread:
- ISP port blocking practice Zhiyun Qian (Oct 22)
- Re: ISP port blocking practice Antonio Querubin (Oct 22)
- Re: ISP port blocking practice Valdis . Kletnieks (Oct 22)
- Re: ISP port blocking practice Ricky Beam (Oct 22)
- Re: ISP port blocking practice Justin Shore (Oct 22)
- Re: ISP port blocking practice Lyndon Nerenberg (VE6BBM/VE7TFX) (Oct 22)
- Re: ISP port blocking practice Sean Donelan (Oct 22)
- Re: ISP port blocking practice Joe Maimon (Oct 22)
- Re: ISP port blocking practice Steve Bertrand (Oct 22)
- Re: ISP port blocking practice Lyndon Nerenberg (VE6BBM/VE7TFX) (Oct 23)
- Re: ISP port blocking practice Chris Boyd (Oct 23)
- Re: ISP port blocking practice Lyndon Nerenberg (VE6BBM/VE7TFX) (Oct 22)
- Re: ISP port blocking practice Justin Shore (Oct 22)
- Re: ISP port blocking practice Joe Maimon (Oct 22)