Re: zotob - blocking tcp/445
On 8/18/05, Roger Marquis <[EMAIL PROTECTED]> wrote: > > Andy Johnson wrote: > > I think the point of many on this list is, they are a transit > > provider, not a security provider. They should not need to filter > > your traffic, that should be up to the end user/edge network to > > decide for themselves. > > How is this different from a transit provider allowing their network > to be used for spam? Seems the same hands-off argument was made wrt > spam a decade ago but has since proved unsustainable. > This is where the abuse teams at the service providers need to have management approved thresholds for different types of abuse and be empowered to take action. If your customer is caught port scanning (hacking, worm propogation, etc) twice within a two day time frame or something, the abuse team should be able to null route/filter the ports without further warning. If they are spamming and after repeat notifications they do not stop, have an escalation process that goes from suspension to termination of service. There are plenty of automated complaint scripts out there for all types of abuse, so you don't have to look at everything yourself. > Our particular problem is with an ISP in Wisconsin, NETNET-WAN. We > get tens of thousands of scans to netbios ports every day from their > /19. This is several orders of magnitude more netbios than we see > from the rest of the net combined. It's eating nontrivial bandwidth > and cpu that we pay real money for. They've had our logs for months > but seem incapable of doing anything about their infected customers. > The suits recommend documenting time and bandwidth costs and sending > a bill with a cease and desist request. > > My question is not what can we do about bots, we already filter > these worst case networks, but what can we do to make it worthwhile > for bot-providers like NETNET to police their own networks without > involving lawyers? > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ >
Re: zotob - blocking tcp/445
Roger Marquis wrote: Andy Johnson wrote: I think the point of many on this list is, they are a transit provider, not a security provider. They should not need to filter your traffic, that should be up to the end user/edge network to decide for themselves. How is this different from a transit provider allowing their network to be used for spam? Seems the same hands-off argument was made wrt spam a decade ago but has since proved unsustainable. Our particular problem is with an ISP in Wisconsin, NETNET-WAN. We get tens of thousands of scans to netbios ports every day from their /19. This is several orders of magnitude more netbios than we see from the rest of the net combined. It's eating nontrivial bandwidth and cpu that we pay real money for. They've had our logs for months but seem incapable of doing anything about their infected customers. The suits recommend documenting time and bandwidth costs and sending a bill with a cease and desist request. My question is not what can we do about bots, we already filter these worst case networks, but what can we do to make it worthwhile for bot-providers like NETNET to police their own networks without involving lawyers? Route them through a modem using 4800 Baud. They will very soon look what is eating their bandwidth and hopefully find those netbios packets. Blocking port 445 will prevent me from using "ssh -p 455" to reach my clients. Using 4800 baud will slow me down but it will not stop me working. Does anyone really use port 22 for ssh? I cannot use it because of all those wordbook attacks. Nobody cares to stop those. Regards, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) +1-360-448-1275 (VoIP: freeworldialup.com) mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: zotob - blocking tcp/445
If you have an offending network that does not respond to abuse/complaints, your best course of action is to no longer communicate with that network. That is your own choice as an end-user/network operator. Complaining to their upstream or transit provider will only get them to switch providers. The traffic will continue. An alternative solution as you mentioned, involves some laywers, and attempt to recover compensation for the damages. Good luck with that one though. From the looks of it, you'll spend more money in court than you would have just blocking them. We can't force other networks to "play nice". As we all know, the Internet is an open network. Protect yourself, and make sure you are not one of the internet scum sending out this stuff, but don't depend on others to play nice with you. Transit providers should not be CONTENT filtering their customers (for free anyways, I'm all for selling security services). This does not mean they have no responsibility to keep a proper abuse/security staff. If a transit provider has a customer who is constantly infecting/spamming/etc and fails to act, by all means take action and drop the customer. My main point is, if we depend on our transit providers to act as Internet nannies, we are promoting poor end-user network management. --- Andy Roger Marquis wrote: How is this different from a transit provider allowing their network to be used for spam? Seems the same hands-off argument was made wrt spam a decade ago but has since proved unsustainable. Our particular problem is with an ISP in Wisconsin, NETNET-WAN. We get tens of thousands of scans to netbios ports every day from their /19. This is several orders of magnitude more netbios than we see from the rest of the net combined. It's eating nontrivial bandwidth and cpu that we pay real money for. They've had our logs for months but seem incapable of doing anything about their infected customers. The suits recommend documenting time and bandwidth costs and sending a bill with a cease and desist request. My question is not what can we do about bots, we already filter these worst case networks, but what can we do to make it worthwhile for bot-providers like NETNET to police their own networks without involving lawyers?
Re: zotob - blocking tcp/445 (fwd)
Resent to address formatting misbehaviour: Source proto dstPort count 62.149.195.129 6 42 13018 203.69.204.250 6 445 12889 213.123.129.237 1 204812693 70.17.255.436 443 12685 217.132.56.139 6 489911056 209.181.111.12 6 135 8148 221.210.149.97 6 48997368 212.24.201.220 6 135 6451 172.131.83.244 6 135 6025 209.188.172.66 6 445 5055 80.177.36.162 6 445 4982 64.121.65.197 6 48994262 64.32.117.250 6 135 3954 213.144.99.241 6 445 3493 64.231.44.656 135 3157 213.123.129.237 6 139 2988 222.84.236.98 6 10232414 222.84.236.98 6 98982398 64.228.209.103 6 135 2305
Re: zotob - blocking tcp/445
On Thu, 18 Aug 2005, Roger Marquis wrote: My question is not what can we do about bots, we already filter these worst case networks, but what can we do to make it worthwhile for bot-providers like NETNET to police their own networks without involving lawyers? Establish and document a history that determines peering with that network, or it's providers, presents a significant risk to your network, or that of your customers. If you've got a view into your traffic that looks like this: (Select source, proto, dstPort, count(destination) from flows where packets < 4 group by source, proto, dstPort order by count descending) Source proto dstPort count 62.149.195.129 6 42 13018 203.69.204.250 6 445 12889 213.123.129.237 1 204812693 70.17.255.436 443 12685 217.132.56.139 6 489911056 209.181.111.12 6 135 8148 221.210.149.97 6 48997368 212.24.201.220 6 135 6451 172.131.83.244 6 135 6025 209.188.172.66 6 445 5055 80.177.36.162 6 445 4982 64.121.65.197 6 48994262 64.32.117.250 6 135 3954 213.144.99.241 6 445 3493 64.231.44.656 135 3157 213.123.129.237 6 139 2988 222.84.236.98 6 10232414 222.84.236.98 6 98982398 64.228.209.103 6 135 2305 Determining who to consider peering with gets a lot easier. (ASN's left off to annoy the truly curious.) As a provider, we don't want to be filtering heavily, as it invariably leads to making allowances for Customer X. The management overhead, as well as the impact on packet processing, is too great. It's easier for us to be able to monitor and report to our customers what's affecting them, and make sure they have the right tools in place to protect them from these kinds of shenanigans. - billn
Re: zotob - blocking tcp/445
Andy Johnson wrote: I think the point of many on this list is, they are a transit provider, not a security provider. They should not need to filter your traffic, that should be up to the end user/edge network to decide for themselves. How is this different from a transit provider allowing their network to be used for spam? Seems the same hands-off argument was made wrt spam a decade ago but has since proved unsustainable. Our particular problem is with an ISP in Wisconsin, NETNET-WAN. We get tens of thousands of scans to netbios ports every day from their /19. This is several orders of magnitude more netbios than we see from the rest of the net combined. It's eating nontrivial bandwidth and cpu that we pay real money for. They've had our logs for months but seem incapable of doing anything about their infected customers. The suits recommend documenting time and bandwidth costs and sending a bill with a cease and desist request. My question is not what can we do about bots, we already filter these worst case networks, but what can we do to make it worthwhile for bot-providers like NETNET to police their own networks without involving lawyers? -- Roger Marquis Roble Systems Consulting http://www.roble.com/
Fwd: zotob - blocking tcp/445
On 8/18/05, James Baldwin <[EMAIL PROTECTED]> wrote: > On Aug 17, 2005, at 11:03 PM, routerg wrote: > > > What if you are a transit provider that serves ebay, yahoo, and/or > > google and the worm is propogating over TCP port 80? > > No one is suggesting that anyone suspend reason when making a > decision to temporarily, or permanently for that matter, block > packets with a specific port setting. It is a unreasonable stretch to > imagine a transit provider, serving Ebay, Yahoo, and/or Google, who > will have a staff unreasonable enough to block TCP/80 to halt a virus > from spreading. > I was only trying to make the point that it would be extremely disruptive for enterprise class providers to filter ports all over the place, regardless of the port number. Today, the carrier class providers are meant to provide a routing interface to the network. > > Where will the filtering end? > > The "slippery slope" defense has never stood in logical arguments, I > don't understand why it should stand anywhere else. Once again, no on > is asking anyone to suspend reason when making decisions. No on is > making the statement "You must block ports used by virii of any > magnitude, permanently without thought or investigation.". It was > suggested that for outbreaks of significant size and severity, > networks should issue temporary blocks on ports with little > legitimate use. Expanding that suggestion to encompass more is being > disingenuous to the original intent of the suggester > > > Is your NSP/ISP responsible for filtering virii, spam, phishing? > > ISPs are held accountable by their customers, whether rightfully or > wrongfully, for virii, spam, and phishing. Customers expect their ISP > to investigate, filter, and otherwise secure their connection. > I would agree with this if we are talking about consumer markets. Most cable/DSL providers have policies in place so that their customers don't use the consumer class services to offer services, in which case this type of mitigation is acceptable. However, I've only ever seen a handful of requests from enterprise class customers wanting their network provider to filter spam on their behalf. Usually they just want DoS attack traffic stopped upstream. They don't want their provider monitoring the contents of their packets. > We are held accountable for the traffic we source. I feel comfortable > exercising some caution with traffic which is destined to me, > especially if it is going to create an issue where other networks > will hold me accountable for the fallout. > > As someone eluded to earlier in the thread, customers expect to > receive the traffic they want, and they expect their provider to > prevent that which they did not request. Problems, support calls, and > differences of opinion happen on the edge where those desires are not > codified. >
Re: zotob - blocking tcp/445
On 8/18/05, James Baldwin <[EMAIL PROTECTED]> wrote: > On Aug 17, 2005, at 11:03 PM, routerg wrote: > > > What if you are a transit provider that serves ebay, yahoo, and/or > > google and the worm is propogating over TCP port 80? > > No one is suggesting that anyone suspend reason when making a > decision to temporarily, or permanently for that matter, block > packets with a specific port setting. It is a unreasonable stretch to > imagine a transit provider, serving Ebay, Yahoo, and/or Google, who > will have a staff unreasonable enough to block TCP/80 to halt a virus > from spreading. > I was only trying to make the point that it would be extremely disruptive for enterprise class providers to filter ports all over the place, regardless of the port number. Today, the carrier class providers are meant to proivde a routing interface to the network. > > Where will the filtering end? > > The "slippery slope" defense has never stood in logical arguments, I > don't understand why it should stand anywhere else. Once again, no on > is asking anyone to suspend reason when making decisions. No on is > making the statement "You must block ports used by virii of any > magnitude, permanently without thought or investigation.". It was > suggested that for outbreaks of significant size and severity, > networks should issue temporary blocks on ports with little > legitimate use. Expanding that suggestion to encompass more is being > disingenuous to the original intent of the suggester > > > Is your NSP/ISP responsible for filtering virii, spam, phishing? > > ISPs are held accountable by their customers, whether rightfully or > wrongfully, for virii, spam, and phishing. Customers expect their ISP > to investigate, filter, and otherwise secure their connection. > I would agree with this if we are talking about consumer markets. Most cable/DSL providers have policies in place so that their customers don't use the consumer class services to offer services, in which case this type of mitigation is acceptable. However, I've only ever seen a handfull of requests from enterprise class customers wanting their network provider to filter spam on their behalf. Usually they just want DoS attack traffic stopped upstream. They don't want their provider monitoring the contents of their packets. > We are held accountable for the traffic we source. I feel comfortable > exercising some caution with traffic which is destined to me, > especially if it is going to create an issue where other networks > will hold me accountable for the fallout. > > As someone eluded to earlier in the thread, customers expect to > receive the traffic they want, and they expect their provider to > prevent that which they did not request. Problems, support calls, and > differences of opinion happen on the edge where those desires are not > codified. >
Re: zotob - blocking tcp/445
On Aug 17, 2005, at 11:03 PM, routerg wrote: What if you are a transit provider that serves ebay, yahoo, and/or google and the worm is propogating over TCP port 80? No one is suggesting that anyone suspend reason when making a decision to temporarily, or permanently for that matter, block packets with a specific port setting. It is a unreasonable stretch to imagine a transit provider, serving Ebay, Yahoo, and/or Google, who will have a staff unreasonable enough to block TCP/80 to halt a virus from spreading. Where will the filtering end? The "slippery slope" defense has never stood in logical arguments, I don't understand why it should stand anywhere else. Once again, no on is asking anyone to suspend reason when making decisions. No on is making the statement "You must block ports used by virii of any magnitude, permanently without thought or investigation.". It was suggested that for outbreaks of significant size and severity, networks should issue temporary blocks on ports with little legitimate use. Expanding that suggestion to encompass more is being disingenuous to the original intent of the suggester Is your NSP/ISP responsible for filtering virii, spam, phishing? ISPs are held accountable by their customers, whether rightfully or wrongfully, for virii, spam, and phishing. Customers expect their ISP to investigate, filter, and otherwise secure their connection. We are held accountable for the traffic we source. I feel comfortable exercising some caution with traffic which is destined to me, especially if it is going to create an issue where other networks will hold me accountable for the fallout. As someone eluded to earlier in the thread, customers expect to receive the traffic they want, and they expect their provider to prevent that which they did not request. Problems, support calls, and differences of opinion happen on the edge where those desires are not codified.
Re: zotob - blocking tcp/445
Randy Bush <[EMAIL PROTECTED]> wrote: [...] > surely you realize that this discussion is not about civil rights > and the constitution, but about combatting terrorists. And we have always been at war with Eastasia. -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key /:.*posting.google.com.*/HX-Trace:+j
Re: zotob - blocking tcp/445
Oh,no -- not the "Where will it end?" defense. I should just go ahead and invoke Godwin's Law now and put us all out of thread misery... - ferg -- routerg <[EMAIL PROTECTED]> wrote: Where will the filtering end? Is your NSP/ISP responsible for filtering virii, spam, phishing? I'm not saying it wouldn't be nice, but considering the types of attacks we see coupled with the fact that many enterprise customers are service providers themselves, providing service to yet other service providers, it is very difficult to take their decission making power away. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: zotob - blocking tcp/445
On 8/16/05, Gadi Evron <[EMAIL PROTECTED]> wrote: > > Randy Bush wrote: > >>Surely we realize that this discussion is not concerning the oft > >>repeated "Internet's Firewall" debate. > >>Its about containing a potential worm/virus outbreak. Call it a network > >>wide quarantine. > > > > > > surely you realize that this discussion is not about civil rights > > and the constitution, but about combatting terrorists. > > To a level, it is. > > Is combating terrorists bad? No one here would say no. Then it starts > getting complicated when you discuss the HOW. > > Over-protecting by first saying "no" because you fear potential "how's" > is silly. > > Fearing the HOW itself is legitimate. > > Not every block is a censor, m'kay? Some censors are good - do you want > to see kiddie porn on TV? Let us not make this a freedom of speech > argument and go back to network issues. > > You have say, 35K clients who will get infected in the next 2 days if > you don't block port 445. Are you going to block it or are you going to > let them get infected and infect others? > What if you are a transit provider that serves ebay, yahoo, and/or google and the worm is propogating over TCP port 80? If they have sufficient bandwidth and security mechinisms to protect themselves I can guarantee you that those enterprise customers would not want their upstream provider unilaterally dropping the traffic. I recognise that the service we are talking about here is typically used in file sharing but people may even be using 445 for different services (as silly as it sounds). Where will the filtering end? Is your NSP/ISP responsible for filtering virii, spam, phishing? I'm not saying it wouldn't be nice, but considering the types of attacks we see coupled with the fact that many enterprise customers are service providers themselves, providing service to yet other service providers, it is very difficult to take their decission making power away. > That or I am missing something. > > Gadi. >
Re: zotob - blocking tcp/445
On Wed, 17 Aug 2005, William Warren wrote: > > I may be off base here. Can't an ips look at the traffic; say on 443 > and figure out whether the traffic is malicious or not? If so then let > it filter it. I know IPS's aren't perfect, but, i would prefer this > router be taken, if available and sensible including network outage or > DDOS, than a hard block. A quick block to mitigate and then an IPS rule and you have an IPS that works on oc-192 SONET links? what about the coming oc-768?
Re: zotob - blocking tcp/445
Daniel Senie wrote: One of the dangers is more and more stuff is being shoved over a limited set of ports. There are VPNs being built over SSL and HTTP to help bypass firewall rule restrictions. At some point we end up with another protocol demux layer, and a non-standard one at that if we push more and more restrictive filters out there. This in the long run is going to cause many problems. Isn't SSL VPN exactly another protocol demux layer, though it might be a standard one? Pete
Re: zotob - blocking tcp/445
At 11:18 AM 8/17/2005, William Warren wrote: I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? Well, your particular example is perhaps not the best one. 443 is SSL, and looking within the encrypted traffic is not something an IPS running on a separate box is going to be good at. Anything that's not encrypted, sure. The IPS could notice an excessive connect rate (TCP) or packet rate (any protocol) and attempt to do something in terms of attack mitigation, even for encrypted sessions. If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed. One of the dangers is more and more stuff is being shoved over a limited set of ports. There are VPNs being built over SSL and HTTP to help bypass firewall rule restrictions. At some point we end up with another protocol demux layer, and a non-standard one at that if we push more and more restrictive filters out there. This in the long run is going to cause many problems. Also note that the IPS would likely be at the customer end of a circuit, meaning a flood attack might still fill the pipe, and your ISP isn't going to be able to alleviate that. Erik Amundson wrote: I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all. On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked. On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it. I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask! If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable). Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense. - Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445 [snip arguments] Do not become the internet firewall for your large customer base... it's bad. Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi. . -- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- "Grab the tape" CDTT (Certified Duct Tape Technician) Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
Re: zotob - blocking tcp/445
I think the point of many on this list is, they are a transit provider, not a security provider. They should not need to filter your traffic, that should be up to the end user/edge network to decide for themselves. Additionally, content filtering is great for those type of end-user folks, as this solution wouldn't be so difficult to scale for their traffic volumes. However, trying to content filter a transit provider is probably not a great idea. William Warren wrote: I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed.
Re: zotob - blocking tcp/445
I may be off base here. Can't an ips look at the traffic; say on 443 and figure out whether the traffic is malicious or not? If so then let it filter it. I know IPS's aren't perfect, but, i would prefer this router be taken, if available and sensible including network outage or DDOS, than a hard block. A quick block to mitigate and then an IPS rule installed AFTER through investigation of the traffic could lessen the load and maybe eliminate the malicious traffic without having to use a hard block. I know most here prefer not to..i am not saying this is a let's block is all thread, just trying to throw out something i do not see being discussed. Erik Amundson wrote: I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all. On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked. On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it. I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask! If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable). Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense. - Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445 [snip arguments] Do not become the internet firewall for your large customer base... it's bad. Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi. . -- My "Foundation" verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- "Grab the tape" CDTT (Certified Duct Tape Technician) Linux user #322099 Machines: 206822 256638 276825 http://counter.li.org/
Re: zotob - blocking tcp/445
> NetBIOS was never meant to be a WAN protocol, so no problem > in blocking it. 445/TCP is not NetBIOS! Some people even call the protocol the "Common Internet File System".
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005, Christopher L. Morrow wrote: > > I think you're overestimating the security clue of most businesses. I'd > > *love* to be proved wrong by somebody citing a credible survey indicating > > that > > most businesses *are* Getting It Right > > I think Sean Donelan had a survey he quoted a few months ago saying that > most enterprises are still the den of iniquity... but I could have that > backward. The average business and average home user have similar computer infection rates based on the data I saw on the ISP networks. Pretty much anyway you sliced the data, e.g. goverment, financial, marketing, education, health care, high tech, low tech, home users, etc have similar rates. Neither the size of the organization nor regulatory environment seems to be a factor. However, different individual organizations can have very different infection rates. What's interesting is within a particlar organization, the infection rate tends to be homogenous: either better or worse. Two companies in the same industry group can have dramatically different infection rates that persist for a long time. But when you add together all the companies in the industry group, the industry group average is the same across all the groups. Law of large numbers, regression to the mean, etc.
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005 [EMAIL PROTECTED] wrote: > On Tue, 16 Aug 2005 13:44:27 CDT, "Church, Chuck" said: > > > *** Rules are going to be different for residential vs. business > > customers. Business customers who aren't on crack probably know better > > to block netbios in and out. > > Whatever happened to the War On Drugs, anyhow? :) > > I think you're overestimating the security clue of most businesses. I'd > *love* to be proved wrong by somebody citing a credible survey indicating that > most businesses *are* Getting It Right I think Sean Donelan had a survey he quoted a few months ago saying that most enterprises are still the den of iniquity... but I could have that backwards.
Re: zotob - blocking tcp/445
Randy Bush wrote: Surely we realize that this discussion is not concerning the oft repeated "Internet's Firewall" debate. Its about containing a potential worm/virus outbreak. Call it a network wide quarantine. surely you realize that this discussion is not about civil rights and the constitution, but about combatting terrorists. To a level, it is. Is combating terrorists bad? No one here would say no. Then it starts getting complicated when you discuss the HOW. Over-protecting by first saying "no" because you fear potential "how's" is silly. Fearing the HOW itself is legitimate. Not every block is a censor, m'kay? Some censors are good - do you want to see kiddie porn on TV? Let us not make this a freedom of speech argument and go back to network issues. You have say, 35K clients who will get infected in the next 2 days if you don't block port 445. Are you going to block it or are you going to let them get infected and infect others? That or I am missing something. Gadi.
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005 13:44:27 CDT, "Church, Chuck" said: > *** Rules are going to be different for residential vs. business > customers. Business customers who aren't on crack probably know better > to block netbios in and out. Whatever happened to the War On Drugs, anyhow? :) I think you're overestimating the security clue of most businesses. I'd *love* to be proved wrong by somebody citing a credible survey indicating that most businesses *are* Getting It Right pgpKsifz0d5Q3.pgp Description: PGP signature
Re: zotob - blocking tcp/445
> Surely we realize that this discussion is not concerning the oft > repeated "Internet's Firewall" debate. > Its about containing a potential worm/virus outbreak. Call it a network > wide quarantine. surely you realize that this discussion is not about civil rights and the constitution, but about combatting terrorists. randy
RE: zotob - blocking tcp/445
On Mon, 15 Aug 2005, Church, Chuck wrote: > > > >'enterprise security folks' are probably not the issue... The fact > remains > >that lots of folks DO do this :( There are quite a few folks between > >'consumer' and 'enterprise' that do all manner of dumb things on the > >Internet (where 'dumb' is equivalent to running smb shares across the > >public network minus encryption/ipsec). It's their choice to do that, > and > >their network providers are expected/demanded to pass those packets for > >them. > > >-Chris > > Surely the ratio of 'useful' traffic compared to 'junk' for a particular > protocol must be considered. What percentage of netbios entering a on your piece of the network you can consider the ratio of pigs to birds, or good to bad traffic or phases of the moon, it's your network do what you will. I can say that if you have a vocal enough customer the blocks won't last very long, or the customer will find another network to connect to... *** Rules are going to be different for residential vs. business customers. Business customers who aren't on crack probably know better to block netbios in and out. But residential customers, I think you'll win more customers than lose by taking some proactive blocking measures. > service provider's edge is intentional? 1%? 0.1%? I'm guessing much > less than that. If 5 or 6 nines worth of a particular protocol entering > or leaving an ISP's network is unintentional, and highly susceptible to > viral activity, isn't it in our best interest to block it? With proper your best interest might be to do that sure... 'your network, your call'. > notification to subscribers and instructions on setting up host-to-host > PPTP/whatever, blocking netbios can solve a large bunch of issues > please send my instructions for host-to-host pptp that my grandmother can follow without help of techsupport. *** Well, if you grandmother is already familiar with mapping drives and modifying her lmhosts file :)
Re: zotob - blocking tcp/445
and again I point to the above rules. What your network can't handle 'scanning wise' is completely different from what the network I work on can handle. If your network is being jeopardized by some level of scanning they fix that, but that is a local decision. Blindly stating "large isps filter port X" is just disingenuous, there are certainly cases as exceptions, most of which end with the ISP in question saying: "Wow that was a lot more painful than we thought originally:(" I've been following the "don't be the Internet's firewall" thing, but I lost you now. Quarantine works. Sorry, it does. If your network can handle everything, that's great. I have seen cases where people blocked entire countries for mitigation purposes, not to mention entire ISP's. Is that wise and/or good? It worked for them for the time. The point is reacting to a given situation. A reason not to do something would NOT be "because then people will not patch". I am sorry. Nobody is arguing that the philosophy is bad. We even agree with you. Where I strongly disagree is canceling this method out on ANY level, because that's just plain wrong. It's simple, it works, and yesterday it worked for several "big ISP's". Would these ISP's generally block port 445? How is that relevant? They just prevented their entire user-base from getting infected and their network from being DDoS'd and soon after becoming a DDoS source, by going the KISS way and reacting. Gadi.
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005, Daniel Senie wrote: > At 12:46 AM 8/16/2005, Christopher L. Morrow wrote: > > > >On Tue, 16 Aug 2005, Gadi Evron wrote: > > > > > > Randy Bush wrote: > > > I'm not nearly confident enough to decide on behalf of almost > > > billion other people how they should benefit from the Internet > > > and how not to. > > > >>> > > > >>>thanks for that! > > > >> > > > >>Indeed. Also see > > > >>http://www.iab.org/documents/docs/2003-10-18-edge-filters.html > > > > > > > > > > > > as i just replied to a private message from an enterprise op, > > > > > > > > o backbone isps can not set their customers' security policy > > > > - some customers want to run billyware shares over the wan > > > > whether we advise it or not > > > > - some of us host security researchers, who have a taste > > > > for 445 and other nasty traffic > > > > > > > > o enterprise / site ops can set their users' security policies > > > > as that's part of their job and charter > > > > > > > > randy > > > > > > > > > > I actually agree with you Chris and Steven. Point is though, that in a > > > HUGE outbreak - sometimes you might even have to cause a self-DDoS and > > > kill some of your services to parts of your networks or at all, to keep > > > your net alive, not to mention secure. > > > >This decision (to block port X or not in a large outbreak) is still a > >network by network decision... Smaller or 'more tightly bound' networks > >might have an easier time making that call, I'd bet that almost all of the > >very large networks will look at each case and come to the same > >conclusion: > >1) our network isn't affected by this problem > > And when it is, or parts of it are, then it IS time to take measures. sure, each network operator needs to see if their network is affected by the event, if so fix it, if not think hard about 'fixing' it... > > When SQL Slammer came out, we were using a facility owned by your > employer. We weren't infected, and had blocked all such traffic at > our border. However, the 65xx switch belonging to the facility, and > upstream of our systems there, was dropping 10% of our traffic > because it could not keep up with the UDP traffic from other > customers fed through that same switch. yes, and we fixed that with local filters, not global ones. and yes, 6500's with routing+switching suck. > > In that instance, you blocked the SQL Slammer traffic. It still > wasn't affecting your network per se, but was seriously impacting > other customers. Blocking was the right action in that case. > it did affect equipment in some places, 6500's being one of them :( > >2) our customers will be affected by a block > >3) our customers should deal with security on their own, unless they are > >paying for service which includes said blocking. > > This has to be balanced against whether the absence of the block > prevents other customers from getting the services they are paying > for. It's a balance, not an absolute. > a local balance... yes. make the decision for your network. I get vocal about this particular topic because there are folks on this (and other) lists who are not as experienced as you or randy or others who have spoken up. They may read the posts as: "I should be blocking tcp/445" and then run off and do that... It's dangerous to talk about this in generic terms, saying: "ZoTob came out and crushed my datacenter 6500 infrastructure, the only thing I could do was drop tcp/445 inbound from customers inside the datacenter on each 6500!" is more specific and more useful, imho. > There's also the issue of billing to consider. If the attack traffic > drives up the costs for customers on metered (burstable) bandwidth, > and you could have stopped that by a few responsive blocks elsewhere > in your network, is it ethical to allow that traffic to flow and run > up the bill? Unless the customer has some way to request remote > blocks, that can be a significant concern. > I think most folks would treat that as: "Show me how much your 95th percentile changed and we'll adjust the bill" > > > > > > > > > As immediate critical measures, blocking tcp/445 might be an acceptable > > > solution. Nobody is talking about censoring the Internet. > > > > > > >see above. and recall that there were several respondents to this thread > >that were talking exactly about blocking tcp/445 to their customers, or on > >their network, which is censoring. > > Or saving everyone's time, money and headaches. The interpretation > depends a great deal on where you sit. > > > >The distinction Randy, and I and Steve, are making is that: > >1) each network should decide on their own > >2) each person deciding should understand the ramifications of that > >decision > >3) each person deciding should keep in mind that they might not understand > >all of their customers requirements for traffic. > > Absolutely agree with all of these. That still doesn't point at a > decision to never block. J
Re: zotob - blocking tcp/445
The sky is falling, or never mind. AV vendor press releases are always amusing to read. http://news.com.com/Zotob+worm+finds+its+path+limited/2100-7349_3-5833777.html?tag=nefd.top As of Monday morning on the West Coast, the original Zotob.A had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems, the antivirus software maker said.
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005, Joe Maimon wrote: > > > Christopher L. Morrow wrote: > > > > On Mon, 15 Aug 2005, [EMAIL PROTECTED] wrote: > > > > > >> > >>NetBIOS was never meant to be a WAN protocol, so no problem > >>in blocking it. > > > > > > rule #1: do not be the Internet's Firewall > > rule #2: see rule #1 > > > Surely we realize that this discussion is not concerning the oft > repeated "Internet's Firewall" debate. > > > This is network self preservation. Otherwise the garbage will eventually > suffocate us all. and again I point to the above rules. What your network can't handle 'scanning wise' is completely different from what the network I work on can handle. If your network is being jeopardized by some level of scanning they fix that, but that is a local decision. Blindly stating "large isps filter port X" is just disingenuous, there are certainly cases as exceptions, most of which end with the ISP in question saying: "Wow that was a lot more painful than we thought originally:("
Re: zotob - blocking tcp/445
At 12:46 AM 8/16/2005, Christopher L. Morrow wrote: On Tue, 16 Aug 2005, Gadi Evron wrote: > > Randy Bush wrote: > I'm not nearly confident enough to decide on behalf of almost > billion other people how they should benefit from the Internet > and how not to. > >>> > >>>thanks for that! > >> > >>Indeed. Also see > >>http://www.iab.org/documents/docs/2003-10-18-edge-filters.html > > > > > > as i just replied to a private message from an enterprise op, > > > > o backbone isps can not set their customers' security policy > > - some customers want to run billyware shares over the wan > > whether we advise it or not > > - some of us host security researchers, who have a taste > > for 445 and other nasty traffic > > > > o enterprise / site ops can set their users' security policies > > as that's part of their job and charter > > > > randy > > > > I actually agree with you Chris and Steven. Point is though, that in a > HUGE outbreak - sometimes you might even have to cause a self-DDoS and > kill some of your services to parts of your networks or at all, to keep > your net alive, not to mention secure. This decision (to block port X or not in a large outbreak) is still a network by network decision... Smaller or 'more tightly bound' networks might have an easier time making that call, I'd bet that almost all of the very large networks will look at each case and come to the same conclusion: 1) our network isn't affected by this problem And when it is, or parts of it are, then it IS time to take measures. When SQL Slammer came out, we were using a facility owned by your employer. We weren't infected, and had blocked all such traffic at our border. However, the 65xx switch belonging to the facility, and upstream of our systems there, was dropping 10% of our traffic because it could not keep up with the UDP traffic from other customers fed through that same switch. In that instance, you blocked the SQL Slammer traffic. It still wasn't affecting your network per se, but was seriously impacting other customers. Blocking was the right action in that case. 2) our customers will be affected by a block 3) our customers should deal with security on their own, unless they are paying for service which includes said blocking. This has to be balanced against whether the absence of the block prevents other customers from getting the services they are paying for. It's a balance, not an absolute. There's also the issue of billing to consider. If the attack traffic drives up the costs for customers on metered (burstable) bandwidth, and you could have stopped that by a few responsive blocks elsewhere in your network, is it ethical to allow that traffic to flow and run up the bill? Unless the customer has some way to request remote blocks, that can be a significant concern. > > As immediate critical measures, blocking tcp/445 might be an acceptable > solution. Nobody is talking about censoring the Internet. > see above. and recall that there were several respondents to this thread that were talking exactly about blocking tcp/445 to their customers, or on their network, which is censoring. Or saving everyone's time, money and headaches. The interpretation depends a great deal on where you sit. The distinction Randy, and I and Steve, are making is that: 1) each network should decide on their own 2) each person deciding should understand the ramifications of that decision 3) each person deciding should keep in mind that they might not understand all of their customers requirements for traffic. Absolutely agree with all of these. That still doesn't point at a decision to never block. Just as during the initial SQL Slammer outbreak, one must balance the desire to not filter anything against the desire to keep customers (especially those who are effectively innocent bystanders) from losing service. > I believe that blocking port 445 is Good, just like I believe it will > not get done by most and for Good reasons. 'good' 'in the right situation' which isn't 'across the network as a whole'. Oh, do the current spate of tcp/445 problems also exist in the new netbios of tcp/80 incarnations MS has cooked up? I'd venture to guess they probably do... wanna block tcp/80 as well? :) > > Every solution has its good applications - sometimes short-term, even > Bad long term solutions. Thing is, how do they remain temporary rather > than becoming perm.? > This last sentence is a long and hard learned lesson :) Once you block port X and people figure that out, they expect you to always block port X. They drop their guard and focus on other problems, they have a new 'firewall' :( it's you. >From the Slammer incident we learned that blocking 1434 for even a short period of time made people complaicant. They didn't patch their broken servers/systems until we unblocked the traffic and they got re-infected again :( If you hadn't blocked 1434 during Slammer,
Re: zotob - blocking tcp/445
Jiri, Rommon's site does not state clearly if the product is a network appliance (as it appears to be since its interface is web-based) or a software-only product. Abraços, Marlon Borba, CISSP. -- Nova campanha: Centro de Resposta a Incidentes de Segurança da Justiça Federal - Vamos criar! -- >>> "Sane Jiri" <[EMAIL PROTECTED]> 08/16/05 8:49 AM >>> [...] We have been using rommon for years now and are quite happy with it. It has radically decreased workload of our abuse-handling crew and zotob-infected customers for example got blocked with no extra configuration needed.
Re: zotob - blocking tcp/445
Joe Maimon wrote: This is network self preservation. Otherwise the garbage will eventually suffocate us all. It's like cancer initially was treated with drugs and equipment which did serious damage to the whole body, killing many in the process and today the methods are much more targeted to the actual bad tissue while minimizing collateral damage. Port blocking is like cancer treatment from the 1980's. Pete
Re: zotob - blocking tcp/445
Randy, > though http://www.rommon.com/sandbox.html looks to be a > commercial product (and hence the spawn of evil:-), has > anyone got success/failure stories? it looks to speak > directly to this issue. We have been using rommon for years now and are quite happy with it. It has radically decreased workload of our abuse-handling crew and zotob-infected customers for example got blocked with no extra configuration needed. -- Jiri Sane Elisa Oy (Ltd) Puh. 010 266 2012 [EMAIL PROTECTED]
Re: zotob - blocking tcp/445
Christopher L. Morrow wrote: On Mon, 15 Aug 2005, [EMAIL PROTECTED] wrote: NetBIOS was never meant to be a WAN protocol, so no problem in blocking it. rule #1: do not be the Internet's Firewall rule #2: see rule #1 Surely we realize that this discussion is not concerning the oft repeated "Internet's Firewall" debate. Its about containing a potential worm/virus outbreak. Call it a network wide quarantine. The damages inflicted by worms/viruses in the past that we have all seen and are still coping with (C&C reports anyone?) are well known. This is network self preservation. Otherwise the garbage will eventually suffocate us all. Apples and oranges.
Re: zotob - blocking tcp/445
though http://www.rommon.com/sandbox.html looks to be a commercial product (and hence the spawn of evil:-), has anyone got success/failure stories? it looks to speak directly to this issue. randy
Re: zotob - blocking tcp/445
> If ISPs really wanted to make the Internet better for Corporate America, > I guess they'd unplug most of Asia...not block a port here and there > (but that isn't exactly acceptable). If I (working for an ISP in Norway) wanted to make the Internet better for my customers, I'd unplug lots of U.S. sites - because that's where most of the spam (and the products the spam advertises) comes from. The problem is in the eye of the beholder. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
RE: zotob - blocking tcp/445
I've always been kind of conflicted with this issue. I mean, providers blocking traffic at all. On the one hand, I'm a corporate customer, and if I'm being DOSed or infected, I would want to be able to call my ISP and have it blocked. On the other hand, I truly feel that I pay my ISPs to pass traffic, not block it. I guess it only bugs me when something is blocked and I didn't even ask for it to be blocked...and then other stupid things are seeping through, but are not blocked even when I ask! If ISPs really wanted to make the Internet better for Corporate America, I guess they'd unplug most of Asia...not block a port here and there (but that isn't exactly acceptable). Anways, like I said, I'm conflicted...I change my mind every now and then because both arguments make logical sense. - Erik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Tuesday, August 16, 2005 12:58 AM To: Christopher L. Morrow Cc: nanog@merit.edu Subject: Re: zotob - blocking tcp/445 [snip arguments] > Do not become the internet firewall for your large customer base... > it's bad. > Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi.
Re: zotob - blocking tcp/445
[snip arguments] Do not become the internet firewall for your large customer base... it's bad. Okay, so please allow me to alter the argument a bit. Say we agreed on: 1. Security is THEIR (customers') problems, not yours. 2. You are not the Internet's firewall. That would mean you would still care about: 1. You being able to provide service. 2. Your own network being secure (?) In a big outbreak, not for the WHOLE Internet, I'd use whatever I can. It can easily become an issue of my network staying alive. Blocking that one port then might be a viable solution to get a handle on things and calm things down. Naturally though you are right again, it is a case-by-case issue and can not be discussed in generalities. Gadi.
Re: zotob - blocking tcp/445
On Mon, 15 Aug 2005 20:05:30 MDT, Shane Amante said: > Leaf network filtering (or not) is largely solved. Ahem. :) If this was a "solved" problem, we'd not be having a thread about a zotob worm. There's a *very* large gap between "the clued know of a range of suitable solutions" and "the great unwashed have deployed appropriate solutions". pgpcensqsvB4C.pgp Description: PGP signature
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005 [EMAIL PROTECTED] wrote: > On Mon, 15 Aug 2005 20:05:30 MDT, Shane Amante said: > > > Leaf network filtering (or not) is largely solved. > > Ahem. :) > > If this was a "solved" problem, we'd not be having a thread about a zotob > worm. > thank you.
Re: zotob - blocking tcp/445
On Tue, 16 Aug 2005, Gadi Evron wrote: > > Randy Bush wrote: > I'm not nearly confident enough to decide on behalf of almost > billion other people how they should benefit from the Internet > and how not to. > >>> > >>>thanks for that! > >> > >>Indeed. Also see > >>http://www.iab.org/documents/docs/2003-10-18-edge-filters.html > > > > > > as i just replied to a private message from an enterprise op, > > > > o backbone isps can not set their customers' security policy > > - some customers want to run billyware shares over the wan > > whether we advise it or not > > - some of us host security researchers, who have a taste > > for 445 and other nasty traffic > > > > o enterprise / site ops can set their users' security policies > > as that's part of their job and charter > > > > randy > > > > I actually agree with you Chris and Steven. Point is though, that in a > HUGE outbreak - sometimes you might even have to cause a self-DDoS and > kill some of your services to parts of your networks or at all, to keep > your net alive, not to mention secure. This decision (to block port X or not in a large outbreak) is still a network by network decision... Smaller or 'more tightly bound' networks might have an easier time making that call, I'd bet that almost all of the very large networks will look at each case and come to the same conclusion: 1) our network isn't affected by this problem 2) our customers will be affected by a block 3) our customers should deal with security on their own, unless they are paying for service which includes said blocking. > > As immediate critical measures, blocking tcp/445 might be an acceptable > solution. Nobody is talking about censoring the Internet. > see above. and recall that there were several respondents to this thread that were talking exactly about blocking tcp/445 to their customers, or on their network, which is censoring. The distinction Randy, and I and Steve, are making is that: 1) each network should decide on their own 2) each person deciding should understand the ramifications of that decision 3) each person deciding should keep in mind that they might not understand all of their customers requirements for traffic. > I believe that blocking port 445 is Good, just like I believe it will > not get done by most and for Good reasons. 'good' 'in the right situation' which isn't 'across the network as a whole'. Oh, do the current spate of tcp/445 problems also exist in the new netbios of tcp/80 incarnations MS has cooked up? I'd venture to guess they probably do... wanna block tcp/80 as well? :) > > Every solution has its good applications - sometimes short-term, even > Bad long term solutions. Thing is, how do they remain temporary rather > than becoming perm.? > This last sentence is a long and hard learned lesson :) Once you block port X and people figure that out, they expect you to always block port X. They drop their guard and focus on other problems, they have a new 'firewall' :( it's you. >From the Slammer incident we learned that blocking 1434 for even a short period of time made people complaicant. They didn't patch their broken servers/systems until we unblocked the traffic and they got re-infected again :( Do not become the internet firewall for your large customer base... it's bad.
Re: zotob - blocking tcp/445
Randy Bush wrote: I'm not nearly confident enough to decide on behalf of almost billion other people how they should benefit from the Internet and how not to. thanks for that! Indeed. Also see http://www.iab.org/documents/docs/2003-10-18-edge-filters.html as i just replied to a private message from an enterprise op, o backbone isps can not set their customers' security policy - some customers want to run billyware shares over the wan whether we advise it or not - some of us host security researchers, who have a taste for 445 and other nasty traffic o enterprise / site ops can set their users' security policies as that's part of their job and charter randy I actually agree with you Chris and Steven. Point is though, that in a HUGE outbreak - sometimes you might even have to cause a self-DDoS and kill some of your services to parts of your networks or at all, to keep your net alive, not to mention secure. As immediate critical measures, blocking tcp/445 might be an acceptable solution. Nobody is talking about censoring the Internet. I believe that blocking port 445 is Good, just like I believe it will not get done by most and for Good reasons. Every solution has its good applications - sometimes short-term, even Bad long term solutions. Thing is, how do they remain temporary rather than becoming perm.? Gadi.
RE: zotob - blocking tcp/445
On Mon, 15 Aug 2005, Church, Chuck wrote: > > > >'enterprise security folks' are probably not the issue... The fact > remains > >that lots of folks DO do this :( There are quite a few folks between > >'consumer' and 'enterprise' that do all manner of dumb things on the > >Internet (where 'dumb' is equivalent to running smb shares across the > >public network minus encryption/ipsec). It's their choice to do that, > and > >their network providers are expected/demanded to pass those packets for > >them. > > >-Chris > > Surely the ratio of 'useful' traffic compared to 'junk' for a particular > protocol must be considered. What percentage of netbios entering a on your piece of the network you can consider the ratio of pigs to birds, or good to bad traffic or phases of the moon, it's your network do what you will. I can say that if you have a vocal enough customer the blocks won't last very long, or the customer will find another network to connect to... > service provider's edge is intentional? 1%? 0.1%? I'm guessing much > less than that. If 5 or 6 nines worth of a particular protocol entering > or leaving an ISP's network is unintentional, and highly susceptible to > viral activity, isn't it in our best interest to block it? With proper your best interest might be to do that sure... 'your network, your call'. > notification to subscribers and instructions on setting up host-to-host > PPTP/whatever, blocking netbios can solve a large bunch of issues > please send my instructions for host-to-host pptp that my grandmother can follow without help of techsupport.
RE: zotob - blocking tcp/445
>'enterprise security folks' are probably not the issue... The fact remains >that lots of folks DO do this :( There are quite a few folks between >'consumer' and 'enterprise' that do all manner of dumb things on the >Internet (where 'dumb' is equivalent to running smb shares across the >public network minus encryption/ipsec). It's their choice to do that, and >their network providers are expected/demanded to pass those packets for >them. >-Chris Surely the ratio of 'useful' traffic compared to 'junk' for a particular protocol must be considered. What percentage of netbios entering a service provider's edge is intentional? 1%? 0.1%? I'm guessing much less than that. If 5 or 6 nines worth of a particular protocol entering or leaving an ISP's network is unintentional, and highly susceptible to viral activity, isn't it in our best interest to block it? With proper notification to subscribers and instructions on setting up host-to-host PPTP/whatever, blocking netbios can solve a large bunch of issues Just my .02 though, Chuck
Re: zotob - blocking tcp/445
> While its not uncommon to run SMB/Windows file system drive mounts across > private WANs, doing so across the Internet, on a non-encrypted tunnel, is > the equivalent of running with scissors. yep. agree. but, as it does not damage the track, and only opens the runner to harm, as the track maintainer, it's not mine to legislate against it. > I am unaware of any enterprise security folks foolish enough to allow > that. i suspect there are risk-takers and fools out there and we just happen not to know them. randy
Re: zotob - blocking tcp/445
On Mon, 15 Aug 2005, Daniel Golding wrote: > > > On 8/15/05 4:46 PM, "Randy Bush" <[EMAIL PROTECTED]> wrote: > > > > I'm not nearly confident enough to decide on behalf of almost > billion other people how they should benefit from the Internet > and how not to. > >>> thanks for that! > >> Indeed. Also see > >> http://www.iab.org/documents/docs/2003-10-18-edge-filters.html > > > > as i just replied to a private message from an enterprise op, > > > > o backbone isps can not set their customers' security policy > > - some customers want to run billyware shares over the wan > > whether we advise it or not > > - some of us host security researchers, who have a taste > > for 445 and other nasty traffic > > > > While its not uncommon to run SMB/Windows file system drive mounts across > private WANs, doing so across the Internet, on a non-encrypted tunnel, is > the equivalent of running with scissors. no one was arguing that... just like no one argues that riding a motorcycle sans-helmet is stupid (or playing hockey without a helmet) > > I am unaware of any enterprise security folks foolish enough to allow that. > Of course, I may be sheltered. 'enterprise security folks' are probably not the issue... The fact remains that lots of folks DO do this :( There are quite a few folks between 'consumer' and 'enterprise' that do all manner of dumb things on the Internet (where 'dumb' is equivalent to running smb shares across the public network minus encryption/ipsec). It's their choice to do that, and their network providers are expected/demanded to pass those packets for them. -Chris
Re: zotob - blocking tcp/445
On 8/15/05 4:46 PM, "Randy Bush" <[EMAIL PROTECTED]> wrote: > I'm not nearly confident enough to decide on behalf of almost billion other people how they should benefit from the Internet and how not to. >>> thanks for that! >> Indeed. Also see >> http://www.iab.org/documents/docs/2003-10-18-edge-filters.html > > as i just replied to a private message from an enterprise op, > > o backbone isps can not set their customers' security policy > - some customers want to run billyware shares over the wan > whether we advise it or not > - some of us host security researchers, who have a taste > for 445 and other nasty traffic > While its not uncommon to run SMB/Windows file system drive mounts across private WANs, doing so across the Internet, on a non-encrypted tunnel, is the equivalent of running with scissors. I am unaware of any enterprise security folks foolish enough to allow that. Of course, I may be sheltered. (as an aside - running windows file system mounts across enterprise WANs is so common that there are WAN optimization devices that improve remote disk mount performance via protocol spoofing) - Dan > o enterprise / site ops can set their users' security policies > as that's part of their job and charter > > randy >
Re: zotob - blocking tcp/445
Chris, This isn't directed at you, just adding my 2 cents to the thread ... On Aug 15, 2005, at 3:29 PM, Christopher L. Morrow wrote: On Mon, 15 Aug 2005, [EMAIL PROTECTED] wrote: NetBIOS was never meant to be a WAN protocol, so no problem in blocking it. rule #1: do not be the Internet's Firewall rule #2: see rule #1 That should definitely be on a T-shirt. :-) a leaf network can make any decisions they want on traffic filtering, large ISP's should probably not do this as there are invariably people out there that will want SNMP/ICMP/NetBIOS/SQL-NameService to work over their WAN link(S). I recall some 'fun' with this issue on: 1) slammer worm (ms has a developers thingy that REQUIRES 1434 to work over the internet) 2) welchia/nachi - how can I ping monitor my remote sites? ymmv. Leaf network filtering (or not) is largely solved. Keep in mind, some SP's sell "Managed Security Services," which may be PE- or CE- based firewalls, but run by the SP on behalf of the customer. If the customer cares enough, then ask and/or pay the SP to block the traffic they don't want, only on their access circuit(s). Presumably, the SP will figure out a model for the service to both instantiate and maintain the filter(s) as well as recoup costs for backhauled bits that get dropped at, or near, the doorstep of the CE. (Note, the word "model" could mean an additional charge above & beyond basic access or it may be included as part of basic access -- it all depends on how much work, sophistication in filtering, etc. occurs as well as what the market can bear). In this case, one size (a.k.a.: filtering) does not (easily) fit all ... -shane
Re: zotob - blocking tcp/445
On Mon, 15 Aug 2005, [EMAIL PROTECTED] wrote: > > > NetBIOS was never meant to be a WAN protocol, so no problem > in blocking it. rule #1: do not be the Internet's Firewall rule #2: see rule #1 a leaf network can make any decisions they want on traffic filtering, large ISP's should probably not do this as there are invariably people out there that will want SNMP/ICMP/NetBIOS/SQL-NameService to work over their WAN link(S). I recall some 'fun' with this issue on: 1) slammer worm (ms has a developers thingy that REQUIRES 1434 to work over the internet) 2) welchia/nachi - how can I ping monitor my remote sites? ymmv. > > For example: grc.com/su-techzone1.htm > > scott > > - Original Message Follows - > From: Gadi Evron <[EMAIL PROTECTED]> > To: nanog list > Subject: zotob - blocking tcp/445 > Date: Mon, 15 Aug 2005 21:51:43 +0200 > > I heard from several different big ISP's that to stop the > > spread of the worm they now block tcp/445. I suppose it > > works. > > > > Gadi. >
Re: zotob - blocking tcp/445
>>> I'm not nearly confident enough to decide on behalf of almost >>> billion other people how they should benefit from the Internet >>> and how not to. >> thanks for that! > Indeed. Also see > http://www.iab.org/documents/docs/2003-10-18-edge-filters.html as i just replied to a private message from an enterprise op, o backbone isps can not set their customers' security policy - some customers want to run billyware shares over the wan whether we advise it or not - some of us host security researchers, who have a taste for 445 and other nasty traffic o enterprise / site ops can set their users' security policies as that's part of their job and charter randy
Re: zotob - blocking tcp/445
- Original Message Follows - From: Saku Ytti <[EMAIL PROTECTED]> To: nanog list Subject: Re: zotob - blocking tcp/445 Date: Mon, 15 Aug 2005 22:22:10 +0300 > On (2005-08-15 18:51 +), [EMAIL PROTECTED] wrote: > > > NetBIOS was never meant to be a WAN protocol, so no > > problem in blocking it. > > I'm not nearly confident enough to decide on behalf of > almost billion other people how they should benefit from > the Internet and how not to. I'm not talking about a billion people doing the same thing. It's your network, so you don't have to block. Or, it's your network, so you can. Or, it's Gadi's network, so he can (or not). Or, it's "several different big ISP's" networks, so they can block (or not). "to stop the spread of the worm they now block tcp/445." It does work. I know. I've done it. It makes some networks better netizens as they don't have the money or resources to control the outbreaks and it's a simple way to keep worms from attacking the rest of us. Do what you want it's your network. http://www.faqs.org/rfcs/rfc1001.html 5. OVERVIEW OF NetBIOS NetBIOS was designed for use by groups of PCs, sharing a broadcast medium. Old argument, apologies for feeding. scott
Re: zotob - blocking tcp/445
In message <[EMAIL PROTECTED]>, Randy Bush writes: > >> I'm not nearly confident enough to decide on behalf of almost >> billion other people how they should benefit from the Internet >> and how not to. > >thanks for that! Indeed. Also see http://www.iab.org/documents/docs/2003-10-18-edge-filters.html --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: zotob - blocking tcp/445
On (2005-08-15 09:28 -1000), Randy Bush wrote: > > There are real solutions to the problem, which include monitoring > > the end-user traffic and do traffic steering for infected hosts > > to a web page thats helps solving their problem. > > for we who are under-clued, do you have a url for suggested tools and > procedures? www.rommon.com, I'm confident there are others. And some people are using home-baked solutions. Probably plethora (and money) will be one of the bigger problems when deciding to implement this kind of solution. -- ++ytti
Re: zotob - blocking tcp/445
> I'm not nearly confident enough to decide on behalf of almost > billion other people how they should benefit from the Internet > and how not to. thanks for that! > There are real solutions to the problem, which include monitoring > the end-user traffic and do traffic steering for infected hosts > to a web page thats helps solving their problem. for we who are under-clued, do you have a url for suggested tools and procedures? thanks! randy
Re: zotob - blocking tcp/445
On (2005-08-15 18:51 +), [EMAIL PROTECTED] wrote: > NetBIOS was never meant to be a WAN protocol, so no problem > in blocking it. I'm not nearly confident enough to decide on behalf of almost billion other people how they should benefit from the Internet and how not to. There are real solutions to the problem, which include monitoring the end-user traffic and do traffic steering for infected hosts to a web page thats helps solving their problem. > For example: grc.com/su-techzone1.htm > > scott > > - Original Message Follows - > From: Gadi Evron <[EMAIL PROTECTED]> > To: nanog list > Subject: zotob - blocking tcp/445 > Date: Mon, 15 Aug 2005 21:51:43 +0200 > > I heard from several different big ISP's that to stop the > > spread of the worm they now block tcp/445. I suppose it > > works. > > > > Gadi. > -- ++ytti
Re: zotob - blocking tcp/445
NetBIOS was never meant to be a WAN protocol, so no problem in blocking it. For example: grc.com/su-techzone1.htm scott - Original Message Follows - From: Gadi Evron <[EMAIL PROTECTED]> To: nanog list Subject: zotob - blocking tcp/445 Date: Mon, 15 Aug 2005 21:51:43 +0200 > I heard from several different big ISP's that to stop the > spread of the worm they now block tcp/445. I suppose it > works. > > Gadi.
zotob - blocking tcp/445
I heard from several different big ISP's that to stop the spread of the worm they now block tcp/445. I suppose it works. Gadi.