[83511] in North American Network Operators' Group
Re: zotob - blocking tcp/445
daemon@ATHENA.MIT.EDU (Andy Johnson)
Wed Aug 17 11:41:54 2005
Date: Wed, 17 Aug 2005 11:43:22 -0400
From: Andy Johnson <andyjohnson@ij.net>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <43035546.4080204@emmanuelcomputerconsulting.com>
Errors-To: owner-nanog@merit.edu
I think the point of many on this list is, they are a transit provider,
not a security provider. They should not need to filter your traffic,
that should be up to the end user/edge network to decide for themselves.
Additionally, content filtering is great for those type of end-user
folks, as this solution wouldn't be so difficult to scale for their
traffic volumes. However, trying to content filter a transit provider is
probably not a great idea.
William Warren wrote:
>
> I may be off base here. Can't an ips look at the traffic; say on 443
> and figure out whether the traffic is malicious or not? If so then let
> it filter it. I know IPS's aren't perfect, but, i would prefer this
> router be taken, if available and sensible including network outage or
> DDOS, than a hard block. A quick block to mitigate and then an IPS rule
> installed AFTER through investigation of the traffic could lessen the
> load and maybe eliminate the malicious traffic without having to use a
> hard block. I know most here prefer not to..i am not saying this is a
> let's block is all thread, just trying to throw out something i do not
> see being discussed.
