RE: zotob - blocking tcp/445
I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all. On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked. On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it. I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask! If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable). Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense. - Erik -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445 [snip arguments]
Do not become the internet firewall for your large customer base... it's bad.
Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi.
If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable).
If I (working for an ISP in Norway) wanted to make the Internet better for my customers, I'd unplug lots of U.S. sites - because that's where most of the spam (and the products the spam advertises) comes from. The problem is in the eye of the beholder. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed. Erik Amundson wrote:
I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all.
On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked.
On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it.
I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask!
If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable).
Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense.
- Erik
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445
[snip arguments]
Do not become the internet firewall for your large customer base... it's bad.
Okay, so please allow me to alter the argument a bit.
Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall.
That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?)
In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive.
Blocking that one port then might be a viable solution to get a handle on things and calm things down.
Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities.
Gadi. .
-- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- "Grab the tape" CDTT (Certified Duct Tape Technician) Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
I think the point of many on this list is, they are a transit provider, not a security provider. They should not need to filter your traffic, that should be up to the end user/edge network to decide for themselves. Additionally, content filtering is great for those type of end-user folks, as this solution wouldn't be so difficult to scale for their traffic volumes. However, trying to content filter a transit provider is probably not a great idea. William Warren wrote:
I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed.
At 11:18 AM 8/17/2005, William Warren wrote:
I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not?
Well, your particular example is perhaps not the best one. 443 is SSL, and looking within the encrypted traffic is not something an IPS running on a separate box is going to be good at. Anything that's not encrypted, sure. The IPS could notice an excessive connect rate (TCP) or packet rate (any protocol) and attempt to do something in terms of attack mitigation, even for encrypted sessions.
If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed.
One of the dangers is more and more stuff is being shoved over a limited set of ports. There are VPNs being built over SSL and HTTP to help bypass firewall rule restrictions. At some point we end up with another protocol demux layer, and a non-standard one at that if we push more and more restrictive filters out there. This in the long run is going to cause many problems. Also note that the IPS would likely be at the customer end of a circuit, meaning a flood attack might still fill the pipe, and your ISP isn't going to be able to alleviate that.
Erik Amundson wrote:
I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all. On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked. On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it. I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask! If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable). Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense. - Erik
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445
[snip arguments]
Do not become the internet firewall for your large customer base... it's bad.
Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi. .
-- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
-- carpe ductum -- "Grab the tape" CDTT (Certified Duct Tape Technician)
Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
Daniel Senie wrote:
One of the dangers is more and more stuff is being shoved over a limited set of ports. There are VPNs being built over SSL and HTTP to help bypass firewall rule restrictions. At some point we end up with another protocol demux layer, and a non-standard one at that if we push more and more restrictive filters out there. This in the long run is going to cause many problems.
Isn't SSL VPN exactly another protocol demux layer, though it might be a standard one? Pete
On Wed, 17 Aug 2005, William Warren wrote:
I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule
and you have an IPS that works on oc-192 SONET links? what about the coming oc-768?
participants (7)
-
Andy Johnson -
Christopher L. Morrow -
Daniel Senie -
Erik Amundson -
Petri Helenius -
sthaugļ¼ nethelp.no -
William Warren