[60171] in North American Network Operators' Group
Re: Blocking port 135?
daemon@ATHENA.MIT.EDU (Mans Nilsson)
Sat Aug 2 04:50:31 2003
Date: Sat, 2 Aug 2003 10:46:54 +0200
From: Mans Nilsson <mansaxel@sunet.se>
To: nanog@merit.edu
Cc: Adi Linden <adil@adis.on.ca>
In-Reply-To: <Pine.LNX.4.44.0308011335310.30966-100000@adibox.knet.ca>
X-synced-from: Pilsnet
Errors-To: owner-nanog-outgoing@merit.edu
--bp/iNruPH9dso1Pn
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Blocking port 135? Date: Fri, Aug 01, 2003 at 01:37:21PM -0500 Quo=
ting Adi Linden (adil@adis.on.ca):
>=20
> http://www.cert.org/advisories/CA-2003-19.html
>=20
> Would blocking port 135 at the network edge be a prudent preventative=20
> measure?
As most have said, no.=20
* It does not cover all possible attacks.
* It may block legitime traffic.=20
* If you block and interfere, you are responsible for what your=20
customer does. You Do Not Want That.=20
* If my home ISP tried this on me, I'd take them to the consumer=20
protection authority and have them explain why they are calling their
filtered service "Internet access".=20
Instead, I'd suggest this:=20
- Have the customer responsible for all things on their own machine.=20
In writing if necessary.=20
- Inform them that "real Internet" is a Good Thing, but emphasize=20
that it takes some care and feeding of connected devices.=20
- Tell them where to get free or cheap protection software.=20
- Inform them that devices found to be broken into will be sent to null0
until proof of cleanliness has been obtained.=20
- If they have a larger net (corporate customers) tell them you *will*
take their CPE interface down if they are visibly broken into and fail=20
to respond.=20
Works for us.=20
--=20
M=E5ns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE
I fill MY industrial waste containers with old copies of the
"WATCHTOWER" and then add HAWAIIAN PUNCH to the top ... They look NICE
in the yard ...
--bp/iNruPH9dso1Pn
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE/K3p+02/pMZDM1cURAoowAJwLnrutz6pfnn0CmPhJkCt1Ly3IdQCfVRZf
cV9KpjYUTHBryM5IHDGxZRc=
=xTqY
-----END PGP SIGNATURE-----
--bp/iNruPH9dso1Pn--
