[63784] in North American Network Operators' Group
Re: Wired mag article on spammers playing traceroute games with trojaned
daemon@ATHENA.MIT.EDU (Michael.Dillon@radianz.com)
Fri Oct 10 06:34:48 2003
To: nanog@merit.edu
From: Michael.Dillon@radianz.com
Date: Fri, 10 Oct 2003 11:32:36 +0100
Errors-To: owner-nanog-outgoing@merit.edu
>I mentioned before that it doesn't really make much sense with web
>hosting because the port can easily be changed so it's not very effective
>at all.
Stop thinking of policing the user and start
thinking of providing a security service. The
default setting of the security service might
include a block on port 80 inbound, but if the
user needs to enable this traffic, give them a
web form that they can use to reconfigure their
settings.
Or, if you can't handle such a variety of
individual ACLs on your equipment, give them
the option of buying a broadband router with
a recommended default config and un-blocked
service.
If the user has to intervene in order to enable
a server type application to function, that
makes it a lot harder for trojan exploits to
take hold.
--Michael Dillon
