Re: Operational impact of filtering SMB/NETBIOS traffic?
I've been reading this thread, and from the get go I've been wondering why an ISP would consider filtering SMB, SSH, telnet, or any other well used protocol. I suppose I'm under the opinion that an ISP should let their customers shoot themselves in the foot. I'm not employed by an ISP. I don't pass customer traffic across my network. I don't really have much of a network (though, if all goes well, it'll get larger). However, I would get annoyed if an ISP filtered some of my traffic that I considered legitimate, even if it is some micky-mouse, insecure protocol. If I want filtering, I'll call the ISP and ask for that service, for which they should charge. Otherwise, I'll go and buy my own firewall. They can be quite inexpensive and easy to use, even for non-network folk. It's difficult enough to debug network issues without having my ISPs mucking with which protocols they're going to allow. In the end, this sort of security should be up to me. If I don't like my feet, I should be allowed to add some additional metal, if I so choose. I guess I don't understand the argument and why an ISP would want to filter SMB (quality of the protocol aside). Mike -- Mike Johnson Network Engineer / iSun Networks, Inc. Morrisville, NC All opinions are mine, not those of my employer
Since we started filtering netbios ports and packets directed to network or broadcast addresses from and to our modems our inbound abuse reports has virtually stopped.. and a look at the security logs shows hundreds of people simultaneously port scanning netbios ports. So far no one had complained about problems.. I dont think many people in reality use the internet for smb in its basic form, its normally businesses who might need it and assuming they're sensible they will be using vpn tunnels anyway. In answer Mike, I'm happy to let customers shoot themselves in the foot if they wish, its just the unnecessary overhead it generates I dont like. Btw these are the only filters I impose on users (I also have some stuff in place to kill spoofing from or to my users). Actually I think half the problem is the latest trend to use anti-intrusion software with so many people emailing in reports from these programs to us.. why?? i've no idea, if your system is secure dont worry..if its not then you've probably just been hacked anyhow. Does that help you understand the argument, I think smb is a source of much hassle and is virtually never used legitimatly and better off blocked from our abuse mailbox point of view! Steve -- Stephen J. Wilcox Internet Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008 On Sun, 19 Nov 2000, Mike Johnson wrote:
I've been reading this thread, and from the get go I've been wondering why an ISP would consider filtering SMB, SSH, telnet, or any other well used protocol. I suppose I'm under the opinion that an ISP should let their customers shoot themselves in the foot.
I'm not employed by an ISP. I don't pass customer traffic across my network. I don't really have much of a network (though, if all goes well, it'll get larger). However, I would get annoyed if an ISP filtered some of my traffic that I considered legitimate, even if it is some micky-mouse, insecure protocol.
If I want filtering, I'll call the ISP and ask for that service, for which they should charge. Otherwise, I'll go and buy my own firewall. They can be quite inexpensive and easy to use, even for non-network folk.
It's difficult enough to debug network issues without having my ISPs mucking with which protocols they're going to allow.
In the end, this sort of security should be up to me. If I don't like my feet, I should be allowed to add some additional metal, if I so choose.
I guess I don't understand the argument and why an ISP would want to filter SMB (quality of the protocol aside).
Mike -- Mike Johnson Network Engineer / iSun Networks, Inc. Morrisville, NC All opinions are mine, not those of my employer
First, I want to apologize for my terms. I did not mean dial-up accounts and customers. I'm talking about leased-line accounts. Stephen J. Wilcox [steve@opaltelecom.co.uk] wrote:
Since we started filtering netbios ports and packets directed to network or broadcast addresses from and to our modems our inbound abuse reports has virtually stopped.. and a look at the security logs shows hundreds of people simultaneously port scanning netbios ports. So far no one had complained about problems.. I dont think many people in reality use the internet for smb in its basic form, its normally businesses who might need it and assuming they're sensible they will be using vpn tunnels anyway.
[snip]
Does that help you understand the argument, I think smb is a source of much hassle and is virtually never used legitimatly and better off blocked from our abuse mailbox point of view!
I do understand the argument better. Thanks to you and all the others that responded. However, I would like to understand if leased line (and co-lo) providers also filter. I certainly can understand filtering dial-up customers, but do y'all (or are y'all considering) doing any filtering on the dedicated connection front? That's a general 'y'all' out to NANOG, by the way. Thanks for all the responses. I do have a better grasp on part of the reasoning. Mike -- Mike Johnson Network Engineer / iSun Networks, Inc. Morrisville, NC All opinions are mine, not those of my employer
I would hope leased line/colo machines would be better set up, but I am probably dreaming. Just for referance I an one of the net/security admins at distributed.net and there are a number of win* worms running arounf in the wild carrying the distributed.net client as part of their payload. So far in the past 3 months ( since the worms appeared) I have logged over 400,000 unique IP addresses returning data to distributed.net from installs created by the worms. We have spot checked a number of these IPs and find win9x boxes with open C shares and signs on multiple infestation including QAZ and other DDoS payloads. daa daa@distributed.net
David Avery was said to been seen saying:
I would hope leased line/colo machines would be better set up, but I am probably dreaming.
One would think this to be true but I have found it quite often to be the opposite... I've had to deal with countless intrusion attempts against our network only to find that the box attacking me had been owned by some script kiddie on the net because the admin of the box had failed to secure it before placing it online... I've found this to be true with school districts (had one in Colorado a several weeks ago) and commercial companies (had a company in Dallas, TX right after the school district incident)... In fact in the case of the Colorado school district attempt I had the admin tell me he had only put the machine online on Thursday, however by Sunday I had already recorded attempts from it...
Just for referance I an one of the net/security admins at distributed.net and there are a number of win* worms running arounf in the wild carrying the distributed.net client as part of their payload.
So far in the past 3 months ( since the worms appeared) I have logged over 400,000 unique IP addresses returning data to distributed.net from installs created by the worms. We have spot checked a number of these IPs and find win9x boxes with open C shares and signs on multiple infestation including QAZ and other DDoS payloads.
This would not surprise me at all... I've noticed quite a few QAZ style signature attempts coming from repeated Cable & Wireless IP blocks recently... As I'm on a C&W backbone I'm routinely scan'd by other C&W IPs which have been infect'd and some have even been from clients of my own ISP... Respectfully, Jeremy T. Bouse UnderGrid Network Services, LLC -- ,-----------------------------------------------------------------------------, | Jeremy T. Bouse - UnderGrid Network Services, LLC - www.UnderGrid.net | | All messages from this address should be atleast PGP/GPG signed | | Public PGP/GPG fingerprint and location in headers of message | | If received unsigned (without requesting as such) DO NOT trust it! | | undrgrid@UnderGrid.net - NIC Whois: JB5713 - Jeremy.Bouse@UnderGrid.net | `-----------------------------------------------------------------------------'
On Sun, Nov 19, 2000 at 04:30:12PM -0500, Mike Johnson wrote:
I've been reading this thread, and from the get go I've been wondering why an ISP would consider filtering SMB, SSH, telnet, or any other well used protocol. I suppose I'm under the opinion that an ISP should let their customers shoot themselves in the foot.
Because the majoriy of one's customers are clueless morons, open to being owned by the 31337-haX0rs of the world. So it is better to block it by default, and open it where requested, than to leave it open and thereby be the source of a massive DoS that gets your IP blackholed to major networks, your business disrupted, and possibly your equipment confiscated by overzealous FBI or Secret Service agents. Better a couple of customers briefly pissed off than a lot of customers pissed off at length.
participants (5)
-
David Avery
-
Jeremy T. Bouse
-
Mike Johnson
-
Shawn McMahon
-
Stephen J. Wilcox