North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Criminals, The Network, and You [Was: Something Else]

  • From: Sean Donelan
  • Date: Thu Sep 20 13:40:36 2007


On Wed, 19 Sep 2007, Rich Kulawiec wrote:
in the logs for days/weeks/months.  This suggests to me that Cox
is actually paying attention to abuse outbound from their network
and is either disconnecting or quarantining hosts which emit it.

Its nice to see Cox getting some praise for a change. Last month people were castigating it for being too agressive at trying to block Bots.
It seems like half the net is always criticizing ISPs for doing
too little and half the net is always criticizing ISPs for doing
too much.


Cox blocks a lot of ports on its network (25, 80, 135-139, 445, 1900,
1433, 1434, 1900, subseven ports); blackholes networks and DNS names;
firewall software that blocked sites with bad TCP software stacks such
as Craigslist; and so on.  Some people think Cox is being pro-active
on the security front; other people think Cox is violating a sacred
trust.  ISPs are pretty much just damned.

Why should an network user have to petition his or her ISP to authorize
their use of a valid network protocol?  Shouldn't application
authorization occur at the application level instead of relying on
the equivalent of .rlogin network-level checks.

Companies like DynDNS show there is user demand to operate their own
servers (including P2P servers, mail servers, web servers, dns servers, etc) on dynamic IP addresses without needing a special "static" IP address or different in-addr.arpa name.


With Fast-Flux, it looks like the next network port that should be blocked on broadband/dialup connections is DNS tcp/udp 53.

or multiple of the above (as is the case most of the time), then it's
very, very unlikely that refusal of the traffic constitutes a FP.

Until a false positive happens. I see 1-2 false positives a year
using checks for "generic-looking" in-addr.arpa names; and a few more false positives for IP addresses without in-addr.arpa names. Nevertheless I still continue to use those checks because the false positive rate is below my pain threshold. But I don't pretend it never happens or may not be a concern to someone else.


I also almost never get a valid e-mail to my postmaster account, just
spam; but some people still think every mail server should accept mail
to the postmaster account anyway no matter how rarely it gets legitimate
email. They even set up RBLs of mail servers without postmaster accounts. Maybe we need a RBL of mail servers that don't accept mail from generic in-addr.arpa or dynamic IP addresses.