[60443] in North American Network Operators' Group
Re: Port blocking last resort in fight against virus
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Aug 12 12:32:10 2003
Date: Tue, 12 Aug 2003 11:31:22 -0500
From: Jack Bates <jbates@brightok.net>
To: Mans Nilsson <mansaxel@sunet.se>
Cc: nanog@merit.edu
In-Reply-To: <20030812155038.GA27073@sunet.se>
Errors-To: owner-nanog-outgoing@merit.edu
Mans Nilsson wrote:
>
> Your chosen path is a down-turning spiral of kludgey dependencies,
> where a host is secure only on some nets, and some nets can't cope
> with the load of all administrative filters (some routers tend to
> take port-specific filters into slow-path). That way lies madness.
>
Secure? Who's talking about secure? I'm talking about trash. Not
blocking the port with a large group of infected users means that your
network sends trash to other people's networks. Those networks may or
may not have capacity to mean your network's trash.
Temporarily blocking 135 is not about security. A single infection
within a local net will infect all vulnerable systems within that local
net. A block upstream will not save local networks from cross infecting.
However, it does stop your network from sending the trash out to other
networks which may have smaller capacities than your network does.
Of course, perhaps a good neighbor doesn't really care about other
people's networks? Perhaps there is no such thing as a good neighbor.
It's kill or be killed, and if those other networks can't take my user's
scanning them, then tough!
There is legitimate traffic on 135. All users I've talked to have been
understanding in a short term block of that port. They used alternative
methods. I have a lot of valid traffic still cranking out the other
Microsoft ports.
-Jack
