Re: ISP port blocking practice
-original message- Subject: Re: ISP port blocking practice From: Owen DeLong <owen@delong.com> Date: 24/10/2009 4:00 am Yes. Owen On Oct 23, 2009, at 2:19 PM, Lee Riemer wrote:
Isn't blocking any port against the idea of Net Neutrality?
Only if you take a legalistic view of it. Too much of the NN debate is about the futile search for an infallible legal argument with no corner cases. This is silly. Take an empirical, practical view instead. Obviously there is no objection to blocking spam going out; after all, the spam comes from machines that are no longer under the control of their owners, so the only free speech that is affected is that of the spammer, and hasn't that already been litigated? Free speech doesn't include the freedom to shout fire in a crowded theatre. Neither does it include the freedom to carry out a DDOS on the fire brigade control room. You aren't allowed to levy a toll on the roads and except your mates - roads are neutral. But that doesn't invalidate the speed limit or the obligation to drive on the left.
Justin Shore wrote:
Owen DeLong wrote:
Blocking ports that the end user has not asked for is bad.
I was going to ask for a clarification to make sure I read your statement correctly but then again it's short enough I really don't see any room to misinterpret it. Do you seriously think that a typical residential user has the required level of knowledge to call their SP and ask for them to block tcp/25, tcp & udp/1433 and 1434, and a whole list of common open proxy ports? While they're at it they might ask the SP to block the C&C ports for Bobax and Kraken. I'm sure all residential users know that they use ports 447 and 13789. If so then send me some of your users. You must be serving users around the MIT campus.
Doing it and refusing to unblock is worse.
How you you propose we pull a customer's dynamically-assigned IP out of a DHCP pool so we can treat it differently? Not all SPs use customer-facing AUTH. I can think of none that do for CATV though I'm sure someone will now point an oddball SP that I've never heard of before.
Some ISPs have the even worse practice of blocking 587 and a few even go to the horrible length to block 465.
I would call that a very bad practice. I haven't personally seen a mis-configured MTA listening on the MSP port so I don't think they can make he claim that the MSP port is a common security risk. I would call tcp/587 a very safe port to have traverse my network. I think those ISPs are either demonstrating willful ignorance or marketing malice.
A few hotel gateways I have encountered are dumb enough to think they can block TCP/53 which is always fun.
The hotel I stayed in 2 weeks ago that housed a GK class I took had just such a proxy. It screwed up DNS but even worse it completely hosed anything trying to tunnel over HTTP. OCS was dead in the water. My RPC-over-HTTP Outlook client couldn't work either. Fortunately they didn't mess with IPSec VPN or SSH. Either way it didn't matter much since the network was unusable (12 visible APs from room, all on overlapping 802.11b/g channels). The average throughput was .02Mbps.
Lovely for you, but, not particularly helpful to your customers who may actually want to use some of those services.
I take a hard line on this. I will not let the technical ignorance of the average residential user harm my other customers. There is absolutely no excuse for using Netbios or MS-SQL over the Internet outside of an encrypted tunnel. Any user smart enough to use a proxy is smart enough to pick a non-default port. Any residential user running a proxy server locally is in violation of our AUP anyway and will get warned and then terminated. My filtering helps 99.99% of my userbase. The .001% that find this basic security filter intolerable can speak with their wallets. They can find themselves another provider if they want to use those ports or pay for a business circuit where we filter very little on the assumption they as a business have the technical competence to handle basic security on their own. (The actual percentage of users that have raised concerns in the past 3 years is .0008%. I spoke with each of them and none decided to leave our service.)
We've been down the road of no customer-facing ingress ACLs. We've fought the battles of getting large swaths of IPs blacklisted because of a few users' technical incompetence. We've had large portions of our network null-routed in large SPs. Then we got our act together and stopped acting like those ISPs who we all love to bitch about, that do not manage their customer traffic, and are poor netizens of this shared resource we call the Internet. Our problems have all but gone away. Our residential and business users no longer call in on a daily basis to report blacklisting problems. We no longer have reachability issues with networks that got fed up with the abuse coming from our compromised users and null-routed us. I stand by our results as proof that what we're doing is right. Our customers seem to agree and that's what matters.
Justin
Free speech doesn't include the freedom to shout fire in a crowded theatre.
It most certainly does! There is absolutely nothing to prevent one from shouting "FIRE" in a crowded theatre. In fact, any attempt to legislate a prohibition against such behaviour would, in all civilized countries and legal systems, constitute unlawful prior restraint. You are confusing (as are all the myriad idiots who keep repeating this fictitious statement) prior restraint with positive law. Nothing prevents you from shouting "FIRE" in a crowded theatre (or anywhere else for that matter). However the proof of the FACT that you shouted "FIRE", and the proof of the FACT that this caused panic and injury, and proof of the FACT that the act of shouting "FIRE" caused pandemonium and injury will lead to a conviction for the offense of RECKLESS ENDANGERMENT or other offences against positive law. It is not the shouting of "FIRE" in a crowded theatre that is unlawful, it is the reckless act and the reckless disregard for the consequences of that act which is criminal. In fact, if one were to shout "FIRE" in a crowded theatre and everyone simply ignored it, no offense would have been committed at all! Please keep your facts straight and do not abridge and summarize to the point of absolute absurdity!
Neither does it include the freedom to carry out a DDOS on the fire brigade control room.
This, of course, falls in the same category. You are totally free to DDoS the fire brigade control room. It is not illegal nor can such action be prohibited by positive law. It is however entirely possible that the consequence of such behaviour is perilous to property, life and limb; and that as a consequence the act itself becomes reckless endangerment ONLY AFTER IT HAS BEEN COMMITTED. There is not, and cannot be, any lawful prior restraint in this case either.
You aren't allowed to levy a toll on the roads and except your mates - roads are neutral.
Of course you can, and governments do it all the time.
But that doesn't invalidate the speed limit or the obligation to drive on the left.
Once again, you are confusing prior restraint with the consequence of doing an action. The Act itself cannot be prohibited. Their may be consequences assigned to having proven that an act was done, but the doing of the act is not and cannot be prohibited. Of course, both the United States and the UK have become Fascist states, and as such it is reasonable to expect that they will behave like Fascists. -- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
participants (2)
-
a.harrowell@gmail.com
-
Keith Medcalf