Valhalla Legends Forums Archive | General Discussion | Security or Freedom?

AuthorMessageTime
iago
Lately, when I've been doing portscans, I noticed that certain ports were blocked.  I emailed my ISP about this, and they responded with a beautiful generic message:

[quote]Reasons for port blocking

Over the last few years, the volume of Open Relay Email Spamming and Network Viruses has increased dramatically. Customers and ISP's are directly affected by this continual onslaught of junk Email, Network-based Virus Scanning and Attacks. A number of ISP's worldwide are combating these costly and time consuming annoyances with the use of Port blocking.

MTS has blocked specific service ports (see below for the list of service ports) on the Residential HSI and dialup networks. These service ports are not normally used by Residential subscribers as well as being prohibited based on our Terms and Conditions for Residential Services (click here to view the terms and conditions web page). Having the appropriate ports blocked will save these users from the ongoing port scanning and potential vulnerability encountered by having these ports exposed (Please keep in mind that VPN tunneling would by-pass port blocking and would not be limited).


Simple Mail Transport Protocol, port 25 TCP

Restricting the flow of direct outbound mail will aid in reducing the amount of Spam delivered directly to foreign systems and force all mail delivery to flow via our mail gateways. By not having this in place, our customers computers are being fraudulently used to delivery millions of messages directly to other providers such as AOL, Hotmail and Yahoo. This in turn has resulted in the MTS domain being placed on backlists at AOL as well as Hotmail and Senderbase. By forcing mail through our mail gateway we are able to track and police this traffic as well as filter it via Brightmail prior to sending in on to the foreign domain. The MTS smtp server
(smtp.mts.net) will be the only available SMTP server available to Residential HSI and dialup customers. SMTP is blocked in both directions for this subscriber base.


Microsoft Service ports

These services were designed for use over secure local area networks and not the hostile environment of the Internet. These ports are blocked in both directions for the Residential DSL and dialup subscriber base. Please note that this will not affect the return ports (Example: The dynamic Ports, 1024 or greater, when used to return traffic to the subscriber)


Ports Service Name
135 TCP UDP MS Exchange
137 TCP UDP MS Net BIOS RPC (Remote Procedure Call), File & Print sharing 138 TCP UDP " 139 TCP UDP " 445 TCP " 1433 TCP MS SQL 1434 UDP "


Virus Back Doors

These ports are commonly used by today's popular viruses as back doors to infected computers. This allows the virus creator or hackers, access to these infected computer systems to access files or to use them as a "Zombie" to perform DOS (Denial of service) attacks on Internet locations. These ports are blocked in both directions for the Residential DSL and dialup subscriber base. Please note that this will not affect the return ports (Example: The dynamic Ports, 1024 or greater, when used to return traffic to the subscriber).


Ports Description
1025 TCP Commonly used by a variety of Viruses Backdoor
3127 TCP MyDoom backdoor
6129 TCP DameWare Remote Admin Software (Impeded into Viruses) 8998 TCP Sobig Backdoor 9996 TCP Sasser Backdoor 27374 TCP Subseven Backdoor
[/quote]

The thing is, I'm not sure how to feel about it.  Well, I do, but I'm going to take this from both sides first.

Here, you can find a graph of internet traffic for a single day last week:
http://javaop.clan-e1.net/~iago/images/irabasic.jpg

Out of the top 10 ports for that day (and this is pretty consistant), at least half of them are caused by worms (probably all of them are), and my isp blocks all of those.  At work, we have IDS (Intrusion Detection Sensors), and we get probed by SQL Slammer about 80,000 times/day, and Red Alert, Sasser, and others are close behind.  Also, spam email relays are everywhere, and it's a HUGE industry, so I can understand blocking SMTP (they have their own SMTP server that we are free to use with your preferred email address).

But here's the thing: is it really up to the ISPs to take care of our security?  And do they have any right to block our ports and police us? 

I think it is.  Because there are obviously 80,000 computers, mostly unique, that probe us daily, and that's an awful lot.  Obviously the people who are looking after the servers aren't doing anything about it (and this was almost a year ago, it will be in January)  <edit> I read the year wrong, it'll be 2 years in January, this was the beginning of 2003</edit>.  Somebody really has to take the initiative and help reduce the number of threats that are taking up tons of bandwidth, not being controlled by any person, and serving no useful purpose except for creating more of the same.

Besides port 25 (which I'm against blocking), not one of those ports has any useful purpose remotely, only within a trusted network.

So I'm happy with my ISPs decision to cut down on the number of viruses sent.  How do others feel about this?



September 27, 2004, 9:14 PM
peofeoknight
I feel that the isp should not block ports. I think it should be a users decision. But if they provide a router or hub the ports should be blocked by default, but the user should have the ability to unblock them. I do not know if they would be willing to allow a user to configure their modems though. My ports are all stealth, which is because of my isp I believe.
September 27, 2004, 9:25 PM
Grok
If the ISP blocks ports, they are opening themselves up to lawsuits.  If they fail to block ports that an application uses to attack a client, but they block ports that I would use on which they say are "dangerous ports", I would sue them at the first opportunity.

Why?  Because a port is nothing more than a value in two bytes.  Blocking data at the ISP router level, based on that value is stupid.  It turns your ISP into a content provider.
September 27, 2004, 9:54 PM
j0k3r
I believe it should be up to the client to choose whether they want their traffic controlled by their ISP or not. A network administrator or knowledgeable computer user would be able to do it themselves, while a lot of casual users would find the option very useful.
September 28, 2004, 7:53 AM
Yoni
The best thing an ISP can do: Block evil ports, and unblock them at user request.

If the user doesn't care about the blocked ports, he doesn't need them and the fact they're blocked protects him. Otherwise, they can be unblocked.

Does any ISP do that?
September 28, 2004, 8:15 AM
Grok
[quote author=Yoni link=topic=8913.msg82391#msg82391 date=1096359328]
The best thing an ISP can do: Block evil ports, and unblock them at user request.

If the user doesn't care about the blocked ports, he doesn't need them and the fact they're blocked protects him. Otherwise, they can be unblocked.

Does any ISP do that?
[/quote]

What's an evil port?  Seriously, evil bit aside.  A port is not a different wire on which data travels, it's just a value of a couple bytes of any given packet.
September 28, 2004, 11:45 AM
Thing
While I feel that the ISP has the right to do whatever they want with their network, I also feel that selective port blocking is futile.  Lusers that continue to use insecure software and open every email attachment with no regard for the consequences, get what they deserve.  Then they can pay me to fix their crap.  I love Microsoft products and the authors of evil software that wrecks them!  The continued havok created by using M$ products is paying to remodel my new office.  That reminds me, I need to get some pics of the Nexus.

P.S.  The networks that I manage rarely have infection troubles.  I maintain the machines with an anal attention to detail and have regular meetings with the employees to educate them of network security.
September 28, 2004, 1:24 PM
iago
Grok, you're talking about layer 1, the physical layer.  Yes, it's just a bit and a piece of Data.  The port is even a piece of data at the ip layer, but on tcp it's a place where the data goes, and some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

But when I was thinking of this in terms of the layers in the OSI Model, I had a thought -- I wonder which layer my ISP filters it at?  If I can specially fragment the packets (which I believe is layer 2), perhaps across the address, it might let each fragment through.

<edit> Thing -- it's futile, yes, but it helps.  If every isp (or even many isps) filtered ports at the tcp or ip layer (not the physical layer like Grok suggests), it would help.
September 28, 2004, 1:29 PM
Thing
http://www.protocols.com/pbook/tcpip1.htm

Recently, I considered port blocking at my edge router.  The more I thought about it the more I realized what a pain in the ass it would be to maintain so I blew it off.  Port blocking doesn't solve the problem, it just reduces the symptoms.  If we are to only block evil ports then we need to block every one of them.  Any port can be used for evil deeds!  I'll just turn off the Internet now and everyone will be safe.
September 28, 2004, 1:43 PM
iago
At my work, we force all traffic through a proxy which allows 21, 22, 80, and 443, and I think that's it.  I would kill my isp if they did that, though.

Incidentally, I've been emailing back and forth at my isp complaining about it, and getting generic responses that don't address any of my questions.  But it's fun anyway.

September 28, 2004, 2:55 PM
Grok
[quote author=iago link=topic=8913.msg82406#msg82406 date=1096378155]some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.[/quote]

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.
September 28, 2004, 3:28 PM
iago
[quote author=Grok link=topic=8913.msg82411#msg82411 date=1096385306]
[quote author=iago link=topic=8913.msg82406#msg82406 date=1096378155]some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.[/quote]

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.
[/quote]

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?  It's a convention used worldwide on every computer connected to the internet, so it's perfectly reasonable to identify and filter ports based on the services they provide.
September 28, 2004, 4:58 PM
Grok
[quote author=iago link=topic=8913.msg82420#msg82420 date=1096390716]
[quote author=Grok link=topic=8913.msg82411#msg82411 date=1096385306]
[quote author=iago link=topic=8913.msg82406#msg82406 date=1096378155]some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.[/quote]

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.
[/quote]

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?[/quote]

Yes.  Now you're getting it.
September 28, 2004, 5:03 PM
KrisL
Keeping in mind that the majority of computer users wouldnt be able to follow this conversation going on here, it is smart for the ISP to block ports for them, however I DO NOT agree that they should do it without user consent.  Thats pretty much them saying the WE (the users) do not know how to handle our own system security and that they are going to do it for us whether we like it or not.  While this may be the case in the majority of users, there are users who are confident and comfortable in their own security measures.  I believe it should be posed as an option to each user.  Just like when you install a program you can choose "typical" installation or "custom" (advanced users only), I believe this should be applied to this situation.  A "would you like us to block unused (or typically unused) ports that could prove dangerous when left open?" would be both smart and appreciated.  So all in all, the concept is smart on a large scale, but I dont not feel that is the proper way to go about doing it.  Just my two cents.
September 28, 2004, 5:05 PM
iago
[quote author=Grok link=topic=8913.msg82423#msg82423 date=1096391012]
[quote author=iago link=topic=8913.msg82420#msg82420 date=1096390716]
[quote author=Grok link=topic=8913.msg82411#msg82411 date=1096385306]
[quote author=iago link=topic=8913.msg82406#msg82406 date=1096378155]some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.[/quote]

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.
[/quote]

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?[/quote]

Yes. Now you're getting it.
[/quote]

Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 
September 28, 2004, 5:19 PM
Grok
[quote author=iago link=topic=8913.msg82431#msg82431 date=1096391984]
Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 
[/quote]

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out".  People used to believe the world was flat, but that did not make it right.  And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!
September 28, 2004, 7:01 PM
crashtestdummy
666 kind of scares me. Or 139.
September 28, 2004, 7:15 PM
St0rm.iD
I should be able to go to firewall.comcast.net, and have a web-based control panel that works from my IP address which lets me selectively pick ports to use. By default, they should have SMTP and netbios blocked, but allow them to be opened by this web-based CP.
September 28, 2004, 7:39 PM
iago
[quote author=Grok link=topic=8913.msg82452#msg82452 date=1096398069]
[quote author=iago link=topic=8913.msg82431#msg82431 date=1096391984]
Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out. 
[/quote]

You're faultering and you know it when falling back on arguments like "used everywhere else in the world" and "it'll work out". People used to believe the world was flat, but that did not make it right. And, it did not work out.

To say that there are evil ports which require blocking argues that there are good ports which do not require blocking. I know you would not argue such a thing. Port 80 is equally evil as all other ports. Or, do you believe port 80 is somehow good? Tell me one port which you believe is more evil than any other one port. Of course you cannot, because ports are not good or evil. Anyway, present a valid computer scientistific argument and I'll continue. Presently you're just trying to defend to save from admitting you're wrong!
[/quote]

It involves weighing the potential gains and losses to determine which ports are "evil".  I was trying to argue against an incredibly stupid argument that port numbers don't mean anything because they're just numbers.  You can't argue that, but it doesn't change the fact that some ports are "evil".  NetBOIS ports have no "good" use over the Internet, and HTTP ports DO have a "good" use.  Ports like NetBIOS that are only used for "evil" should be blocked.

Right now, worms taking up a ton of bandwidth and are hugely widespread, and the worms are _using those ports to spread_!  How do you suggest stopping the worms from going around?  Please, make a suggestion.  Education users obviously doesn't work, because people don't care.  ISPs can't do it, because like you said, it's bad.  Who else can do it?
September 28, 2004, 9:22 PM
St0rm.iD
What happens when the worms get smart and begin using random ports?
September 28, 2004, 10:33 PM
kamakazie
[quote author=$t0rm link=topic=8913.msg82499#msg82499 date=1096410804]
What happens when the worms get smart and begin using random ports?
[/quote]

Generally worms scan a range of ips looking for a specific port (usually a service listening on that port) that can be infected.  They can't really use random  ports and they usually don't have an interface with which they listen for a master to issue it commands.
September 28, 2004, 10:38 PM
Adron
[quote author=Grok link=topic=8913.msg82452#msg82452 date=1096398069]
To say that there are evil ports which require blocking argues that there are good ports which do not require blocking.  I know you would not argue such a thing.  Port 80 is equally evil as all other ports.  Or, do you believe port 80 is somehow good?  Tell me one port which you believe is more evil than any other one port.  Of course you cannot, because ports are not good or evil.  Anyway, present a valid computer scientistific argument and I'll continue.  Presently you're just trying to defend to save from admitting you're wrong!
[/quote]

It sounds like a good idea to block 139, 80, etc by default. Remember that this is the default in current Windows versions. They are the ports used by all clueless Windows users, it's clueless Windows users we're worried about getting infected, and those who have a clue to use a nonstandard port can probably manage their own firewalling. This all adds up to it being a good idea to block ports!
September 28, 2004, 10:45 PM
Thing
[quote]This all adds up to it being a good idea to block ports![/quote]
Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?
September 28, 2004, 11:01 PM
iago
[quote author=$t0rm link=topic=8913.msg82499#msg82499 date=1096410804]
What happens when the worms get smart and begin using random ports?
[/quote]
Huh? How do you infect a service on a random port?  That makes no sense, unless the infection is happening before whatever layer takes care of port (For instance, Rose Frag Attack), but that's not the type of attack they're blocking against.

Thing -- You don't use 135, 139, 445 to do legimate things over the internet, do you? 

September 29, 2004, 4:00 AM
crashtestdummy
A worm that scans various ports isn't feasible?
September 29, 2004, 4:17 AM
Adron
[quote author=Thing link=topic=8913.msg82511#msg82511 date=1096412515]
[quote]This all adds up to it being a good idea to block ports![/quote]
Which ports? And which networks?  How far to the backbones do you go?  I use many ports for a variety of legitimate tasks and many of them are non-standard.  Who is going to compensate me for the time it takes me to reconfigure my devices?
[/quote]

As a reseller of network capacity to end users, you should do a survey of your customers, finding out what old operating systems are common. Then by default block the ports of those services on those operating systems that aren't blocked in that version, but are blocked in the latest version of that operating system (i.e. like Windows XP blocks 139, 445, 80, etc). Your customers should have the option to unblock ports individually. And since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.

September 29, 2004, 10:51 AM
iago
[quote author=muert0 link=topic=8913.msg82578#msg82578 date=1096431452]
A worm that scans various ports isn't feasible?
[/quote]

Spreading on ports without a known and exploitable service isn't, no.  If you block the main ports that are being used to spread, then, if nothing else, there won't be as many.

For most home users, the ports they have open are ONLY the default windows ones, 135/139/445/1025, and if those are blocked then worms have no way of spreading.
September 29, 2004, 12:21 PM
Arta
Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.
September 29, 2004, 12:32 PM
Thing
[quote]Thing -- You don't use 135, 139, 445 to do legimate things over the internet, do you?[/quote]No.

Adron,
While I do feel that the bandwidth providers do have the right to configure their networks however they want, I still don't feel that it is their responsibility to compensate for software manufacturer's insecure and troublesome products.  The root of the problem is the software, not the network.  If the bandwidth providers reduce the symptoms, where is the incentive for the software manufacturer's to fix their product?

With so much bandwidth being wasted, I'm sure the providers are pissed and want to reduce it for that reason.  A better way, which will provide more value to their customers, is to do what Verizon is doing on their DSL network.  Every new Verizon customer receives and nifty Firewall / Router for them to connect with.  By default, all ports are closed and remote management is disabled on their 2Way devices.  You even have the option of getting one with a built in wireless router!  I've been on Verizon's DSL network since it's inception in Dallas and I've noticed a significant decrease in the amount of unwantet traffic coming into my house from it.  Comcast cable network, however, is a worthless piece of crap because they will allow any device to connect and rape their network.
September 29, 2004, 12:57 PM
iago
[quote author=Arta[vL] link=topic=8913.msg82599#msg82599 date=1096461138]
Just blocking ports is a bit pointless, but temporarily blocking ports during outbreaks of things like slammer & blaster is totally a good idea - during an outbreak, it would help prevent the spread of infection. When scans dropped off, it would no longer be a useful measure, and should be removed.
[/quote]

Slammer, Sasser, and Blaster, among others, would still be classified as an "outbreak".  We're still getting thousands of infection attempts every hour by Slammer (80000/day =~ 3300/hour = ~1/second).  Our IDS doesn't pick up sasser or blaster, because they require an active connection to be established before their signature can be picked up, and our external facing computers are firewalled off.  The IDS is in front of the firewall, but if the connection attempt is dropped it isn't picked up.
September 29, 2004, 1:19 PM
Adron
[quote author=Thing link=topic=8913.msg82601#msg82601 date=1096462674]
Adron,
While I do feel that the bandwidth providers do have the right to configure their networks however they want, I still don't feel that it is their responsibility to compensate for software manufacturer's insecure and troublesome products.  The root of the problem is the software, not the network.  If the bandwidth providers reduce the symptoms, where is the incentive for the software manufacturer's to fix their product?
[/quote]

Nono, it's not their responsibility. It's about adding value. For example, on such a connection you can safely hook up your newly formatted / reinstalled Windows box to download the latest updates.


[quote author=Thing link=topic=8913.msg82601#msg82601 date=1096462674]
With so much bandwidth being wasted, I'm sure the providers are pissed and want to reduce it for that reason.  A better way, which will provide more value to their customers, is to do what Verizon is doing on their DSL network.  Every new Verizon customer receives and nifty Firewall / Router for them to connect with.  By default, all ports are closed and remote management is disabled on their 2Way devices.  You even have the option of getting one with a built in wireless router!  I've been on Verizon's DSL network since it's inception in Dallas and I've noticed a significant decrease in the amount of unwantet traffic coming into my house from it.  Comcast cable network, however, is a worthless piece of crap because they will allow any device to connect and rape their network.
[/quote]

Giving out free routers sounds like a good idea. It's really similar to what I was after, the only difference being what end of the dsl connection the filtering is done on. I thought filtering at the ISP end would be more cost-efficient. I guess with mass production of cheap routers, those might not cost more.
September 29, 2004, 5:03 PM
crashtestdummy
Do they not have cable modems with NAT built-in? If they don't would it be that hard to implement?
September 29, 2004, 5:06 PM
mynameistmp
[quote]
I should be able to go to firewall.comcast.net, and have a web-based control panel that works from my IP address which lets me selectively pick ports to use. By default, they should have SMTP and netbios blocked, but allow them to be opened by this web-based CP.
[/quote]

Hm. ~$80 (and that's Canadian funds) and a wee bit of sed magic...

$sed -e 's/firewall.comcast.net/192.168.1.1'

Look, Ma, it's a linksys!
September 29, 2004, 6:21 PM
St0rm.iD
In response to alternate random ports, I'm talking about trojan/email virii.
September 29, 2004, 11:57 PM
iago
Those types of viruses aren't what's saturating the pipes with crap, it's the ones like Slammer and Sasser and MSBlaster that are.

Apparently some ISPs have over 50% traffic belonging to this crap, which is rediculous.  I'm quite happy the my ISP took the initiative and helped out the Internet in a small way.  If even a good chunk of ISPs did that right now, they would eliminate a good part of the current worm problem.

Have you ever tried plugging in an unprotected Windows XP machine and tried to download the updates?  It's impossible to do, because you'll get a worm before you finish updating.  That's rediculous.  Something has to change.
September 30, 2004, 2:02 AM
tA-Kane
[quote author=iago link=topic=8913.msg82483#msg82483 date=1096406540]You can't argue that, but it doesn't change the fact that some ports are "evil".[/quote]

Someguy 1: "i say we should try to get to the east by sailing west..."
Someguy 2: "that doesn't change the fact that you'll fall off the face of the earth if you venture out into the sea too far"

[quote author=Adron link=topic=8913.msg82590#msg82590 date=1096455075]since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.[/quote]And of course, if they decide not to use your security features, you charge them a fee for "non-secure fee". Charge them if they do, charge them if they don't! Fuckthat.
September 30, 2004, 5:21 PM
Adron
[quote author=tA-Kane link=topic=8913.msg82741#msg82741 date=1096564890]
[quote author=Adron link=topic=8913.msg82590#msg82590 date=1096455075]since this gives them a free security upgrade to the latest OS version, you should of course charge them appropriately.[/quote]And of course, if they decide not to use your security features, you charge them a fee for "non-secure fee". Charge them if they do, charge them if they don't! Fuckthat.
[/quote]

Well, it's up to them if they want to be connected or not......
September 30, 2004, 7:19 PM
Kp
[quote author=muert0 link=topic=8913.msg82616#msg82616 date=1096477580]Do they not have cable modems with NAT built-in? If they don't would it be that hard to implement?[/quote]

First, with regard to muert0's comment: I wouldn't want one of those even if it existed.  My experiences with "home" router type setups have been consistent failures in achieving my goals, for the simple reason that the NAT device has been so badly braindamaged before retail that it cannot perform even the simple tasks I want, such as getting the NAT rewrites correct when two internal systems talk to their external addresses (e.g. Brood War).

With regard to alternate solutions, I have a draconian one that should resolve the issue in fairly short order.  Rather than blocking worm ports, block networks that generate more than N worm attacks per M time units.  When the network admin informs you that he's fixed the problem, lower the barricade.  ISPs would thus be strongly encouraged to clean up their internal problems (such as by imposing similar measures against their clients), lest they be banned from their provider.  Of course, such would require a Terms-of-Service change between the ISP and their provider, so it would not be instant.  This is along the same principle as the realtime-blackhole-list.  Domains known to be serious sources of spam are completely banned from sending any traffic until they've been cleaned up.  IIRC, MSN got blacklisted for a few days a couple years ago.  They fixed their problems in a hurry after that. ;)

This is said partially in jest, since I doubt any major companies would have the courage to do this to paying customers.  However, I've seen this policy work quite effectively on nonprofit networks (e.g. universities cutting off infected students, companies isolating infected employees from the corporate network).  By nonprofit network, I mean that access to the network is provided as part of some larger deal, so being cut off does not give the infected individual ground to cry "breach of contract" for loss of service.
September 30, 2004, 8:10 PM

Search