[102929] in North American Network Operators' Group
RE: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Frank Bulk - iNAME)
Sat Mar 8 13:12:01 2008
Reply-To: <frnkblk@iname.com>
From: "Frank Bulk - iNAME" <frnkblk@iname.com>
To: "'Joel Jaeggli'" <joelja@bogus.com>, <frnkblk@iname.com>
Cc: "'Mark Foster'" <blakjak@blakjak.net>,
"Dave Pooser" <dave.nanog@alfordmedia.com>, <nanog@merit.edu>
In-Reply-To: <47D226E4.6080502@bogus.com>
Date: Sat, 8 Mar 2008 12:10:58 -0600
Errors-To: owner-nanog@merit.edu
Sorry if I wasn't more clear, but I'm not asking about inbound attempts, I'm
asking about the number of outbound attempts a host would perform.
Frank
-----Original Message-----
From: Joel Jaeggli [mailto:joelja@bogus.com]
Sent: Friday, March 07, 2008 11:41 PM
To: frnkblk@iname.com
Cc: 'Mark Foster'; Dave Pooser; nanog@merit.edu
Subject: Re: Customer-facing ACLs
Frank Bulk wrote:
> The last few spam incidents I measured an outflow of about 2 messages per
> second. Does anyone know how aggressive Telnet and SSH scanning is? Even
> if it was greater, it's my guess there are many more hosts spewing spam
than
> there are running abusive telnet and SSH scans.
Judging by the hits on my firewall there's a fair amount of variation
between the scanners that are doing a couple login attempts per hour,
and the bot that's making thousands of login attempts with 4 or 5
connection attempts going at a time. We don't filter them till they hit
a threshold.
I don't even bother to log telnet attempts anymore so I can't say much
about that.
> Frank
>
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Mark
> Foster
> Sent: Friday, March 07, 2008 10:02 PM
> To: Dave Pooser
> Cc: nanog@merit.edu
> Subject: Re: Customer-facing ACLs
>
>
>> Blocking port 25 outbound for dynamic users until they specifically
> request
>> it be unblocked seems to me to meet the "no undue burden" test; so would
>> port 22 and 23. Beyond that, I'd probably be hesitant until I either
> started
>> getting a significant number of abuse reports about a certain flavor of
>> traffic that I had reason to believe was used by only a tiny minority of
> my
>> own users.
>>
>
> Sorry, I must've missed something.
> Port 25 outbound (excepting ISP SMTP server) seems entirely logical to me.
>
> Port 22 outbound? And 23? Telnet and SSH _outbound_ cause that much of a
> concern? I can only assume it's to stop clients exploited boxen being used
> to anonymise further telnet/ssh attempts - but have to admit this
> discussion is the first i've heard of it being done 'en masse'.
>
> It'd frustrate me if I jacked into a friends Internet in order to do some
> legitimate SSH based server administration, I imagine...
>
> Is this not 'reaching' or is there a genuine benefit in blocking these
> ports as well?
>
> Mark.
>
>
>
>
