North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: zotob - blocking tcp/445

  • From: Gadi Evron
  • Date: Tue Aug 16 11:13:33 2005 


and again I point to the above rules. What your network can't handle
'scanning wise' is completely different from what the network I work on
can handle.

If your network is being jeopardized by some level of scanning they fix
that, but that is a local decision. Blindly stating "large isps filter
port X" is just disingenuous, there are certainly cases as exceptions,
most of which end with the ISP in question saying: "Wow that was a lot
more painful than we thought originally:("




I've been following the "don't be the Internet's firewall" thing, but I
lost you now.



Quarantine works. Sorry, it does.



If your network can handle everything, that's great.



I have seen cases where people blocked entire countries for mitigation
purposes, not to mention entire ISP's. Is that wise and/or good?



It worked for them for the time.



The point is reacting to a given situation. A reason not to do something
would NOT be "because then people will not patch". I am sorry.



Nobody is arguing that the philosophy is bad. We even agree with you.

Where I strongly disagree is canceling this method out on ANY level,
because that's just plain wrong.



It's simple, it works, and yesterday it worked for several "big ISP's".
Would these ISP's generally block port 445? How is that relevant?



They just prevented their entire user-base from getting infected and
their network from being DDoS'd and soon after becoming a DDoS source,
by going the KISS way and reacting.



Gadi.