Re: Port 135 Probes Continue

From: David (
Date: 12/30/03

Date: Tue, 30 Dec 2003 03:59:23 GMT

It depends how you look at it. I'm one who also doesn't believe the ISP
should decide what ports to filter. There are times when they may have
to because of worm outbreaks etal., totally acceptable even to me, but
they tend to add filters and never remove them. So they are in effect
dictating to the end user what protocols they can and can't use. And
over time things get more and more restrictive. I'm in a very rural area
and waited a long time for broadband to come to my area. Now it is here
and I have all this additional bandwidth, but the ISP is not allowing me
to do a lot of things I could with a dialup. It's absurd.

If they are given too much free reign in this area they will start
making these decisions based on extending their profit margins with less
and less regard toward the individual customers needs. So today you may
not care that they filter a specific port because it does not interfere
with anything you are currently doing, but someday they might. The last
time my ISP added more filters it was a due to an FCC request, so I am
somewhat more accepting of that particular decision. So now instead of
averaging 200 blocked unsolicited packets a day I see 150. Big deal. But
now instead of manipulating services which most people were not using or
don't have exposed anyhow, the malicious types are concentrating on
protocols that everyone uses. One thing I have noticed over time is as
firewalls have become more and more prevalent the exploits have changed.
Instead of seeing something exploit a specific service and set up
another listening server, you are now seeing more and more things that
exploit email and http to install a client application which connects to
an IRC server. The fact that more and more are filtering at their own
machines and borders using firewalls yet the overall problem keeps
growing tells me that adding ISP-level filtering is a temporary bandaid
at best.

As far as the portmapper there are reasons to have it exposed. Most
situations don't warrant it, but someone could use packet filtering on
their end so that only those they wish to give access to is controlled.
It's not a showstopper however because you can always set up a VPN which
is what most do now anyhow. The biggest impact I see personally is that
I can no longer do some of the network diagnostics amongst friends that
I could do before. You cannot do a thorough firewall test from outside a
subnet or network depending on where the ISP is applying their filters
and many of the ISP's are even blocking echo requests now also.
>> Personally I don't want my ISP deciding what I can or cannot connect
>> to. But that's just me. I'll take liberty over security.
> I understand what you say... but if no blocking is done anywhere, then
> worms will periodically, and with increasing frequency, shut down the
> Net and eventually spam will make it unusable.
> This is an important area of debate. While it is often difficult to tell
> good traffic from bad easily, there are certain types which can be
> identified as 'always bad' without too much trouble. Should these be
> blocked or not? I don't know if you have any contact with the Windows
> world, but Microsoft uses a number of well known ports which should
> never, under any circumstances, be accessible to untrusted hosts. So
> does Unix, for that matter. Is there a legitimate reason for connecting
> to a portmapper over the Internet?

There is no single solution to these types of problems. MS needs to do
better with their software, default installations, and default program
configurations. The same goes for many of the other software developers.
New email standards are needed using a new protocol built from the
ground up with security in mind. I don't blame MS for the problem, they
are not the malicious ones writing and releasing the exploits, but their
OS sits on 90% of the desktops so what they do will probably have the
most impact on many of the problems. The internet is too vast for ISP's
to make much of an impact. An ISP will do all kinds of things to make
you think they are helping you with the spam issue for example , yet
they will turn around and sell your email address or subscribe a spammer
if the price is right. If you look at the number of reported monthly
linux intrusions vs. windows intrusions and factor in windows being on
90% of the desktops vs. Linux on 1% you might find that a larger
percentage of linux machines may have been exploited in certain months.
So even though it has some excellent security features that are not
found in Windows, if the average user does not know how to use them then
things are no better. I would have to add that I have seen Linux improve
in regards to this particular statistic. Many of the distros have made
the default installations and configuration more secure, while MS has
been stagnant in this regard but seems to be finally waking up.
MS has a terrible record when it comes to new features. They are usually
full of bugs and vulnerabilities. Why add a TCP-wrapper like feature
when they could extend ICF to do the same? They need to improve what is
already there before adding more bells and whistles which tend to be
problematic when they are first introduced.
> Microsoft could introduce an equivalent to TCP-wrappers, which together
> with a total block on the private IP blocks by ISPs, might solve the
> problem of worms. Will they? They could abandon the idea of using email
> as an entertainment medium, which would kill most viruses. Will they?

Even if a majority wanted certain ports filtered it is still not right.
Most people don't have a clue what a port is let alone be able to figure
out the reasons to filter a port or not.
Blocking ports doesn't solve the problem. In the long run it simply
fosters new ones. When one hole is patched they just find and use
another one. It can be an effective short term action to help keep a
specific problem from getting worse but for the longhaul there are
better solutions.
> ISPs themselves will make routing choices based on connectivity
> available to them on the backbone, and they will prefer paths unclogged
> by spam. Eventually pressure will come to bear on the backbone owners to
> maximise the bandwidth they can offer their customers, by blocking
> obviously unwanted traffic. Some will choose not to do so, and may then
> forfeit income because of this. If enough people want a clean Internet,
> it will happen, but not otherwise. Think of it as democracy in action.