On 8/12/2003 at 12:40:19 -0400, McBurnett, Jim said:
who in there right mind would pass NB traffic in the wild?
That's the problem; not all customers are in their right mind. All they know is that it was working yesterday, and not today, because you blocked a port. The question of port blocking for most sizable ISPs comes down to principle vs principle. One the one hand, you have the principle of network invisibility. You agreed to pass customer traffic, not pass judgement on it. If it's a valid IP packet, you'll deliver it. And you don't slow down or stop traffic because you're spending cycles examining packets.* That's what customers expect. On the other hand, you have the principle of being a good network citizen. You try to keep your tables clean and your peers from flapping. You accept valid routes and inform your peers when you get invalid ones, so they have a chance to fix them. You are properly embarrassed when you find a spammer on your network or your name on the CIDR report. And you don't spew other people's networks with worm traffic. That is what other providers expect. Port blocking is therefore a quandry: do you stick with your customer principle, or your provider principle? I think most of us weigh the damage of the attack vs the damage of losing the port, and make individual judgement calls. It would be nice if there were some central consensus on when to block ports; then individual providers wouldn't need to take abuse from customers or other networks when their judgement wasn't exactly the same as somebody else's. -Dave * Before the holy war starts, yeah, some hardware doesn't slow down when blocking ports, and this is only an issue if your hardware isn't that breed. My point is that this might be an issue for some hardware, and that "Buy vendor X" isn't really a solution for everyone.