[59276] in North American Network Operators' Group
Re: ISPs are asked to block yet another port
daemon@ATHENA.MIT.EDU (Paul Vixie)
Mon Jun 23 13:57:26 2003
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 23 Jun 2003 17:56:50 +0000
In-Reply-To: <Pine.GSO.4.53.0306231554560.23433@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
chris@UU.NET ("Christopher L. Morrow") writes:
> ISP's could block all ports and save everyone the hassle of having an
> Internet.... (I am just kidding of course)
>
> Two interesting points though:
>
> 1) Spammers adapt
> 2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
take for example port-25 blocking. i've been getting relayprobed all
weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
by sending their SYN's through a provider who shall remain nameless
(except that chris morrow happens to work there :-)) using at&t IP
source addresses. i guess they multihomed their host and bind()'d the
outbound socket to one interface even while making sure the routing
used a different interface. high rocket science? NOT.
so if you're going to block tcp/25 SYNs on outbound, please make sure
you block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
--
Paul Vixie
