On Sat, 30 Aug 2003, Sean Donelan wrote:
The recurring theme is: I don't want my ISP to block anything I do, but ISPs should block other people from doing things I don't think they should do.
That's about my position, I guess. <g> There's a difference between naively blocking ports or screwing with packets, though, and blocking known dodgy behaviour (spoofed source addresses, for one). Yes, port 135 is a known vector, and so is 4444 now, but they have their legitimate uses. If you have evidence that someone is doing something dodgy with them, then you should shut them down. But spanking everyone because some people can't/won't take responsibility for their systems reeks of schoolroom justice ("We're all going to sit here until the guilty party owns up").
So how long is reasonable for an ISP to give a customer to fix an infected computer; when you have cases like Slammer where it takes only a few minutes to infect the entire Internet? Do you wait 72 hours? or until the next business day? or block the traffic immediately?
Immediately. The ISP is, IMO, responsible for the traffic of those they connect to the Internet. Maybe I'm just showing my old-fashioned values there, though.
Or some major ISPs seem to have the practice of letting the infected computers continuing attacking as long as it doesn't hurt their network.
"Welcome to my null0, O provider of loose morals". -- ----------------------------------------------------------------------- #include <disclaimer.h> Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16