North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Robert Beverly
  • Date: Fri Mar 07 15:57:23 2008

On Fri, Mar 07, 2008 at 01:55:05PM -0600, Justin Shore wrote:
> What kind of customer-facing filtering do you do (ingress and egress)? 
> This of course is dependent on the type of customer, so lets assume 
> we're talking about an average residential customer.

As part of a recent measurement project, we estimate the prevalence
of ingress and egress blocking (though under the guise of neutrality).
For customer facing filters, we leverage protocols which provide 
port-specific redirects, e.g. HTTP, Gnutella, etc.  For traffic
toward customers, we use port-specific tcptraceroutes.  Some published
data for the curious:

Reader's digest summary: NetBIOS ports (and the innocent profile
service) 135-139 are among the most frequently blocked, along
with SMTP, POP3 and filters that have stuck around due to various
worms such as MS-SQL.  That said, around 94% of the 16bit port
space was unblocked by any network.

Curious to other's answer to this high-level question -- and the
more mundane question of filter maintenance.