[118592] in North American Network Operators' Group
Re: ISP port blocking practice
daemon@ATHENA.MIT.EDU (a.harrowell@gmail.com)
Sat Oct 24 05:28:12 2009
From: a.harrowell@gmail.com
To: Owen DeLong <owen@delong.com>
Date: Sat, 24 Oct 2009 10:27:28 +0100
Cc: NANOG list <nanog@nanog.org>
Reply-To: a.harrowell@gmail.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-original message-
Subject: Re: ISP port blocking practice
From: Owen DeLong <owen@delong.com>
Date: 24/10/2009 4:00 am
Yes.
Owen
On Oct 23, 2009, at 2:19 PM, Lee Riemer wrote:
> Isn't blocking any port against the idea of Net Neutrality?
>
Only if you take a legalistic view of it. Too much of the NN debate is =
about the futile search for an infallible legal argument with no corner =
cases. This is silly.
Take an empirical, practical view instead. Obviously there is no objection =
to blocking spam going out; after all, the spam comes from machines that =
are no longer under the control of their owners, so the only free speech =
that is affected is that of the spammer, and hasn't that already been =
litigated?
Free speech doesn't include the freedom to shout fire in a crowded theatre. =
Neither does it include the freedom to carry out a DDOS on the fire brigade =
control room. You aren't allowed to levy a toll on the roads and except =
your mates - roads are neutral. But that doesn't invalidate the speed limit =
or the obligation to drive on the left.
> Justin Shore wrote:
>> Owen DeLong wrote:
>>> Blocking ports that the end user has not asked for is bad.
>>
>> I was going to ask for a clarification to make sure I read your =
>> statement correctly but then again it's short enough I really don't =
>> see any room to misinterpret it. Do you seriously think that a =
>> typical residential user has the required level of knowledge to =
>> call their SP and ask for them to block tcp/25, tcp & udp/1433 and =
>> 1434, and a whole list of common open proxy ports? While they're =
>> at it they might ask the SP to block the C&C ports for Bobax and =
>> Kraken. I'm sure all residential users know that they use ports =
>> 447 and 13789. If so then send me some of your users. You must be =
>> serving users around the MIT campus.
>>
>>> Doing it and refusing to unblock is worse.
>>
>> How you you propose we pull a customer's dynamically-assigned IP =
>> out of a DHCP pool so we can treat it differently? Not all SPs use =
>> customer-facing AUTH. I can think of none that do for CATV though =
>> I'm sure someone will now point an oddball SP that I've never heard =
>> of before.
>>
>>> Some ISPs have the even worse practice of blocking 587 and a few =
>>> even
>>> go to the horrible length to block 465.
>>
>> I would call that a very bad practice. I haven't personally seen a =
>> mis-configured MTA listening on the MSP port so I don't think they =
>> can make he claim that the MSP port is a common security risk. I =
>> would call tcp/587 a very safe port to have traverse my network. I =
>> think those ISPs are either demonstrating willful ignorance or =20
>> marketing malice.
>>
>>> A few hotel gateways I have encountered are dumb enough to think =
>>> they can block TCP/53
>>> which is always fun.
>>
>> The hotel I stayed in 2 weeks ago that housed a GK class I took had =
>> just such a proxy. It screwed up DNS but even worse it completely =
>> hosed anything trying to tunnel over HTTP. OCS was dead in the =
>> water. My RPC-over-HTTP Outlook client couldn't work either. =20
>> Fortunately they didn't mess with IPSec VPN or SSH. Either way it =
>> didn't matter much since the network was unusable (12 visible APs =
>> from room, all on overlapping 802.11b/g channels). The average =
>> throughput was .02Mbps.
>>
>>> Lovely for you, but, not particularly helpful to your customers =
>>> who may actually want to use some of those services.
>>
>> I take a hard line on this. I will not let the technical ignorance =
>> of the average residential user harm my other customers. There is =
>> absolutely no excuse for using Netbios or MS-SQL over the Internet =
>> outside of an encrypted tunnel. Any user smart enough to use a =
>> proxy is smart enough to pick a non-default port. Any residential =
>> user running a proxy server locally is in violation of our AUP =20
>> anyway and will get warned and then terminated. My filtering helps =
>> 99.99% of my userbase. The .001% that find this basic security =20
>> filter intolerable can speak with their wallets. They can find =
>> themselves another provider if they want to use those ports or pay =
>> for a business circuit where we filter very little on the =20
>> assumption they as a business have the technical competence to =20
>> handle basic security on their own. (The actual percentage of =20
>> users that have raised concerns in the past 3 years is .0008%. I =
>> spoke with each of them and none decided to leave our service.)
>>
>> We've been down the road of no customer-facing ingress ACLs. We've =
>> fought the battles of getting large swaths of IPs blacklisted =20
>> because of a few users' technical incompetence. We've had large =
>> portions of our network null-routed in large SPs. Then we got our =
>> act together and stopped acting like those ISPs who we all love to =
>> bitch about, that do not manage their customer traffic, and are =
>> poor netizens of this shared resource we call the Internet. Our =
>> problems have all but gone away. Our residential and business users =
>> no longer call in on a daily basis to report blacklisting =20
>> problems. We no longer have reachability issues with networks that =
>> got fed up with the abuse coming from our compromised users and =
>> null-routed us. I stand by our results as proof that what we're =
>> doing is right. Our customers seem to agree and that's what =
matters.
>>
>> Justin
>>
>>
>>
