[83595] in North American Network Operators' Group
Re: zotob - blocking tcp/445
daemon@ATHENA.MIT.EDU (Peter Dambier)
Thu Aug 18 14:04:12 2005
Date: Thu, 18 Aug 2005 20:02:45 +0200
From: Peter Dambier <peter@peter-dambier.de>
Reply-To: peter@peter-dambier.de
To: Roger Marquis <marquis@roble.com>
Cc: NANOG <nanog@trapdoor.merit.edu>
In-Reply-To: <20050818091914.B8914@roble.com>
Errors-To: owner-nanog@merit.edu
Roger Marquis wrote:
>
> Andy Johnson wrote:
>
>> I think the point of many on this list is, they are a transit
>> provider, not a security provider. They should not need to filter
>> your traffic, that should be up to the end user/edge network to
>> decide for themselves.
>
>
> How is this different from a transit provider allowing their network
> to be used for spam? Seems the same hands-off argument was made wrt
> spam a decade ago but has since proved unsustainable.
>
> Our particular problem is with an ISP in Wisconsin, NETNET-WAN. We
> get tens of thousands of scans to netbios ports every day from their
> /19. This is several orders of magnitude more netbios than we see
>
>> from the rest of the net combined. It's eating nontrivial bandwidth
>
> and cpu that we pay real money for. They've had our logs for months
> but seem incapable of doing anything about their infected customers.
> The suits recommend documenting time and bandwidth costs and sending
> a bill with a cease and desist request.
>
> My question is not what can we do about bots, we already filter
> these worst case networks, but what can we do to make it worthwhile
> for bot-providers like NETNET to police their own networks without
> involving lawyers?
>
Route them through a modem using 4800 Baud. They will very soon look
what is eating their bandwidth and hopefully find those netbios packets.
Blocking port 445 will prevent me from using "ssh -p 455" to reach my
clients. Using 4800 baud will slow me down but it will not stop me working.
Does anyone really use port 22 for ssh? I cannot use it because of all
those wordbook attacks. Nobody cares to stop those.
Regards,
Peter and Karin Dambier
--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter@peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason
