[60444] in North American Network Operators' Group
RE: Port blocking last resort in fight against virus
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Tue Aug 12 12:40:52 2003
Date: Tue, 12 Aug 2003 12:40:19 -0400
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Jack Bates" <jbates@brightok.net>,
"Mans Nilsson" <mansaxel@sunet.se>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Jack, et al.
As a larger than average end user and what could
be called a small ISP, I really can not image=20
legitimate traffic on 135..
who in there right mind would pass NB traffic in the wild?
I dunno, may it is just that Old military security mindset=20
creeping into my brain housing group.
Can someone enlighten me? What is legitimate 136 traffic?
J
-----Original Message-----
From: Jack Bates [mailto:jbates@brightok.net]
Sent: Tuesday, August 12, 2003 12:31 PM
To: Mans Nilsson
Cc: nanog@merit.edu
Subject: Re: Port blocking last resort in fight against virus
Mans Nilsson wrote:
>=20
> Your chosen path is a down-turning spiral of kludgey dependencies,
> where a host is secure only on some nets, and some nets can't cope
> with the load of all administrative filters (some routers tend to
> take port-specific filters into slow-path). That way lies madness.=20
>=20
Secure? Who's talking about secure? I'm talking about trash. Not=20
blocking the port with a large group of infected users means that your=20
network sends trash to other people's networks. Those networks may or=20
may not have capacity to mean your network's trash.
Temporarily blocking 135 is not about security. A single infection=20
within a local net will infect all vulnerable systems within that local=20
net. A block upstream will not save local networks from cross infecting. =
However, it does stop your network from sending the trash out to other=20
networks which may have smaller capacities than your network does.
Of course, perhaps a good neighbor doesn't really care about other=20
people's networks? Perhaps there is no such thing as a good neighbor.=20
It's kill or be killed, and if those other networks can't take my user's =
scanning them, then tough!
There is legitimate traffic on 135. All users I've talked to have been=20
understanding in a short term block of that port. They used alternative=20
methods. I have a lot of valid traffic still cranking out the other=20
Microsoft ports.
-Jack
