[79875] in North American Network Operators' Group
Re: BCP for ISP to block worms at PEs and NAS
daemon@ATHENA.MIT.EDU (Kim Onnel)
Sun Apr 17 14:51:55 2005
Date: Sun, 17 Apr 2005 20:51:21 +0200
From: Kim Onnel <karim.adel@gmail.com>
Reply-To: Kim Onnel <karim.adel@gmail.com>
To: "J.D. Falk" <jdfalk@cybernothing.org>
Cc: nanog@merit.edu
In-Reply-To: <20050417170501.GB1174@arctic.org>
Errors-To: owner-nanog@merit.edu
Even if they care, its consuming alot of CPU resources and bandwidth,
i had a long quarrel with my teams members on should we do it or not,
i understand that if we only provide best effort traffic without any
filtering contracted its wrong to do it, but the ACL matches are so
big, doing it on the Radius however is one nice other way to do it
IMHO, there was once a worm using port 5000 which broke IPSec, and i
had to modify it all over the place, same with MSSQL ports, a
Centralised configuration is much better, i would like to see these
methods documented anywhere (Practices for ISPs to block worms)
=20
On 4/17/05, J.D. Falk <jdfalk@cybernothing.org> wrote:
> On 04/17/05, Randy Bush <randy@psg.com> wrote:
>=20
> > > On my Cisco-based SP network with RPMs in MGX chassis acting as PEs:
> > > I have the ACL below applied on many network devices to block the
> > > common worms ports,
> >
> > if you are a service provider, perhaps filtering in the core will
> > not be appreciated by some customers. of course, as a provider,
> > you can choose what 'service' you are providing. but, if you
> > filter ports, it is not clear you are providing internet service.
>=20
> In practice, it is nearly certain that your users won't care (or
> even notice) -- but grumpygeeks will argue about it anyway.
>=20
> --
> J.D. Falk As a carpenter bends the seat of a ch=
ariot
> <jdfalk@cybernothing.org> I bend this frenzy round my =
heart.
>
