On Wed, Sep 03, 2003 at 10:45:26AM -0500, Matthew S. Hallacy wrote:
On Wed, Sep 03, 2003 at 07:20:28AM -0500, Nathan E Norman wrote:
[ Jonathan said "we are filtering and rate limiting at the modem" ... ]
On Wed, Sep 03, 2003 at 07:39:17AM -0500, Matthew S. Hallacy wrote:
Why in the world would you do that? the DOCSIS specification allows for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ filtering rules at the CPE, which means you could simply block icmp echo and ports 135-139+445 directly at their home network, causing no load whatsoever on your network, _and_ no more infected boxes (even at 56k).
The modem _is_ the CPE. There's no load on the network; just CPU on the modem. "modem config" != "CMTS config".
I think that's exactly what I said, perhaps you misread my comment.
What you said is highlighted above. I don't think I misread it ... I may have misunderstood what you meant. Did you intend to take issue _only_ with rate limiting, as opposed to filtering, or are you taking issue with the broad filtering described, or both? i'm trying to parse "Why in the world ..." :-)
My point was that you're rate limiting and filtering customers for no reason when you have the ability to filter the attack vectors in a very effective and 'clean' way. You should consider leaving those ports filtered seeing how they're the #1 way for windows systems to be infected/hijacked.
The provider in question has a long-standing tradition of providing unfiltered access. Perhaps recent events will cause them to change their policy as you suggest. Personally I think it's a great idea. [ I'm no longer an employee of said provider ] Best regards, -- Nathan Norman - Incanus Networking mailto:nnorman@incanus.net This message cannot be considered spam, even though it is. Some law that never was enacted says so. -- Arkadiy Belousov