Re: [fw-wiz] The home user problem returns

From: Mason Schmitt (mason_at_schmitt.ca)
Date: 09/14/05

  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns" 
    To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Tue, 13 Sep 2005 15:34:23 -0700

    >>> When enough people choose to smoke, they are placing an unnecessary
    >>> burden on the public medical system, thereby degrading it for everyone
    >>> else.
    >>>
    >
    > Are they? Will they really? Afterall, considering the above, they are
    > not likely to live as long and thus not going to be within the system as
    > long term as the non-smokers.

    > Are you certain of this, or is it just another version of overhype in
    > this current time and space? Afterall, think about it a momnet, if I
    > draw smoke directly into my lungs, and exhale and then you breath in a
    > small fraction of what residule smoke is left, it is really more of a
    > health issue for you in a secondary fashion then it was for me in the
    > first intake?

    I should have known better than to bring as touchy an example as this in
    as an analogy...

    You know what, I don't honestly know. I have seen reference to so many
    studies, so much backlash against tobacco companies, (I also really
    liked the movie "The Insider"...), that I have a hard time thinking it's
    not true, but I really didn't come here to debate smoking. I'm sorry I
    inadvertently pulled attention away from the topic at hand.

    ...snipped out my original description of my bot problem

    > That sure seems like a long way about trying to limit the exposures that
    > got and get you into the fixes you find in your ISP technical position,
    > so, let me ask here again, would it not be simpler, and likely go pretty
    > much untocinted to the vast majority of your users to just lont allow
    > ports 135-139, 455, and 500 and the rest of the windws specifics from
    > leaving your periniters and even actually eliminate it on your
    > braodcasts within?

    In a word... no. We have had all those filters in place for a long
    time. They don't do *** when faced with a bot that comes in via a p2p
    download or IM download that then sets up shop and decides to go after
    your relay rather than trying to do direct-to-mx zombie spamming.

    The bot problem is an insidious one and they are getting smarter.

      Seems that would be far less work and likely with
    > the ingress and egress filtering eliminate 90% of the issues that hit
    > you and your user base, would it not?

    It's not even remotely close to 90% unfortunately.

    > and certainly without the support
    > overhead of the vast majority of the plans and solutions you are trying
    > to impliment, yes?
    >

    I'm going the extra distance (and I imagine all ISPs are going to be in
    a similar boat) because I'm forced to and because I know that if I don't
    start the hardening process now, I'm going to get burnt badly and have
    to scramble for a solution later.

    > My question to the rest of the list remains: how much would an ISP
    > suffer if they invoked such policies?

    Not at all. It's a great start to improving the situation - something
    that all ISPs should be undertaking asap. It would sure help cut down
    on the amount of worm traffic on the net. Take a look at dshield
    sometime for an idea of how much those simple rules would help.

    > and invoked such policies with
    > the hitting those that request to be allowed to avoid those limitaions
    > with a service expansion and extra hit from the pocketbook?

    That's unlikely to happen. Why would someone pay extra for such a thing?

    > Rather then
    > give it all away under the basic pricing infrastructure, you make those
    > that wish for the "addon risks" pay for it.

    Again, all the things I'm talking about have little to no negative
    impact on customers. In fact, here's the current list from our router
    (my boss cleared this). There's no harm in disclosing this, because
    anyone that wants to go after our customers can use any of the other
    thousands of ports that are open - these are just to block the common
    automated crap.

    # Microsoft stuff
    tcp 42 # WINS
    udp 42
    tcp 135 # epmap (blaster worm)
    udp 135
    tcp 137:139 # SMB
    udp 137:139
    tcp 445 # win2k SMB
    udp 445 # not really necessary, but...
    tcp 1433:1434 # ms-sql
    udp 1433:1434
    udp 1900 # UPnP service announcement traffic

    # Worms/Trojans
    tcp 1022:1023 # New Sasser Variant
    tcp 2745 # Bagel/beagle backdoor
    udp 2745
    tcp 3127 # Mydoom
    tcp 3129:3199 # Mydoom
    udp 3127:3199
    tcp 5554 # Sasser ftp
    tcp 6129 # Dameware
    tcp 9996 # Sasser backdoor
    tcp 9898 # Dabber backdoor
    tcp 27374 # some trojans 

    --
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Mason Schmitt: "Re: [fw-wiz] The home user problem returns"