[59279] in North American Network Operators' Group
Re: ISPs are asked to block yet another port
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Jun 23 15:50:13 2003
Date: Mon, 23 Jun 2003 19:49:09 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g3d6h4k78d.fsf@sa.vix.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 23 Jun 2003, Paul Vixie wrote:
>
> chris@UU.NET ("Christopher L. Morrow") writes:
>
> > ISP's could block all ports and save everyone the hassle of having an
> > Internet.... (I am just kidding of course)
> >
> > Two interesting points though:
> >
> > 1) Spammers adapt
> > 2) default insecure OS installs cause problems
>
> 3) thoughtless reactionism at isp's does little good and sometimes some harm.
indeed it does... breaking the network with acls often gets me in trouble
:) Really, there are always better solutions than mass filtering something
like this.
>
> take for example port-25 blocking. i've been getting relayprobed all
> weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
> by sending their SYN's through a provider who shall remain nameless
> (except that chris morrow happens to work there :-)) using at&t IP
> source addresses. i guess they multihomed their host and bind()'d the
> outbound socket to one interface even while making sure the routing
> used a different interface. high rocket science? NOT.
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix
for it, port 25 in and out filtering for radius customers. The 'problem'
as I understand it, is that the change would be a contract change so it
has to wait for expiration of said contract to be enforced... :( Its a
sucky world sometimes. Perhaps Paul complained to
ATT/<other-unnamed-provider> with logs and such? :)
>
> so if you're going to block tcp/25 SYNs on outbound, please make sure
> you block SYN/ACK's on input too, or else you just give the spammers a
> little more work to do instead of a lot more work to do.
Yup, this is in the works also... and yes, someone realized quickly enough
that the one-way filtering was dumb. oh well. live and learn!
