Re: ISP port blocking practice

[Zhiyun Qian <zhiyunq () umich edu>]

You are exactly right. We also talked about stateful firewall that can protect the GoodNet. For NAT box, depends on the 
type of NAT, it is possible to setup port forwarding on the router (mostly home routers) via uPnP without any 
authentication (I think many home routers are like this by default). And since the machine in GoodNet is also 
compromised, it would not be difficult to achieve this.

Regards.
-Zhiyun
On Sep 2, 2010, at 5:45 PM, William Herrin wrote:

> On Thu, Sep 2, 2010 at 5:59 PM, Zhiyun Qian <zhiyunq () umich edu> wrote:
> > http://www.eecs.umich.edu/~zhiyunq/pub/oakland10_triangular-spamming.pdf
> >
> > One of the high-level findings is that we developed probing techniques
> > to verify that indeed most ISPs are only blocking 1) "outgoing traffic
> > of destination port 25" instead of 2) "incoming traffic with source
> > port 25", which means that these ISPs are vulnerable to the
> > assymetric routing attack.
>
> If I understand your idea correctly:
>
> 1. GoodNet filters TCP destination port 25 packets from his customer
> PwndBox, preventing PwndBox from spamming.
>
> 2. BadGuy on BadNet sends a forged TCP SYN packet to SpamVictim
> allegedly from PwndBox on GoodNet.
>
> 3. PwndBox receives the response packets from SpamVictim and tunnels
> them to BadGuy allowing BadGuy to complete the spam.
>
> 4. GoodNet didn't stop it because PwndBox never sent any packets to TCP port 25.
>
> 5. Since the IP address used was GoodNet's, GoodNet's reputation is damaged..
>
> 6. GoodNet could prevent this attack vector by also blocking packets
> with TCP source port 25 sent -to- PwndBox.
>
> Is that correct?
>
> I observe that if PwndBox is behind a stateful firewall such as a COTS
> NAT box, that also prevents this attack.
>
> Regards,
> Bill Herrin
>
>
>
> -- 
> William D. Herrin ................ herrin () dirtside com  bill () herrin us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004