North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: What do you want your ISP to block today?
--On Saturday, August 30, 2003 8:18 PM +0200 Iljitsch van Beijnum <firstname.lastname@example.org> wrote:
On zaterdag, aug 30, 2003, at 18:54 Europe/Amsterdam, Owen DeLong wrote:Christopher L. Morrow's mention of asymmetric routing for multihomed customers is more to the point, but if we can solve this for all those single homed dial, cable and ADSL end-users and not for multihomed networks, I'll be very happy.I happen to look alot like a single homed ADSL end user at certain levels, but, I'm multihomed. I'd be very annoyed if my ISP started blocking things just because my traffic pattern didn't look like what they expect from a single homed customer.I'm sure knife salespeople find it extremely annoying that they can't bring their wares along as carry-on when they fly. Sometimes a few people have to be inconvenienced for the greater good.
In my opinion, this is a very unfortunate attitude largely based on FUD and myth. Apologies for the off-topicness of the following example, but, having just been through this level of greater good, I hope it will serve some positive purpose if people realize how ridiculous it gets if you let this go. Frankly, I think the level of absurdity that the TSA and HSA have taken things to speaks for itself. From May 21 of this year until August 1, certain interpretations of our newfound greater good would have allowed me to be classified as a terrorist and hauled off to prison. Why? Because on May 21, depending on your interpretation of the statutes, my posession of an until then perfectly legal 2 pounds of black powder or my posession of an until then perfectly legal Aerotech J-350 Ammonium Perchlorate Composite Propellant rocket motor reload suddenly changed from a perfectly legal hobby to an act of terrorism for anyone who did not posess a Low Explosives User Permit from the USDOJ/BATFE. What changed on August 1? I got my permit (finally) which I applied for in April. The minor inconvenience involved in doing this consisted of: 1. $100 to the feds. 2. I had to file an FBI Fingerprint Card with the BATF + $30 to get the fingerprinting done + Took about 3 hours to track down the correct method of getting the fingerprinting done and actually have it done. (BATF instructions didn't work and it turned into a name-that-bureacracy trip through 5 different agencies to find one that would do the fingerprinting (no, the FBI will not)). 3. Federal Background Check 4. Essentially sign away my 4th amendment rights and grant the BATFE permission to inspect my home at any time. 5. Get a letter of agreement for contingency storage from at least one agency with a LEUP and a storage authorization (my LEUP is a non-storage LEUP). 6. I now need to keep records of all my rocket motor purchases, usages, storages, and other dispositions for 10 years. The greater good accomplished: Any nutcase that wants to can still pay cash for all the ammonium nitrate and diesel fuel he/she wants with no identification required, no record of the transaction, and no permit required. Did I mention that the Oklahoma City Federal building has proven that AN+Diesel does explode, while the NH state police explosives lab has proven that APCP DOES NOT EXPLODE. Sorry... I just don't see a greater good in forcing liability on ISPs for forwarding IP datagrams with valid headers.
But, TCP to a port that isn't listening (or several ports that aren't listening) _ARE_ what you are talking about blocking. This is not a good idea.Why not? I think it's a very good idea. TCP doesn't work if you only use it in one direction, so blocking this doesn't break anything legitimate, but it does stop a whole lot of abuse. (Obviously I'm talking about the case where the lack of return traffic can be determined with a modicum of reliability.)
1. Your assumption is false. There are multiple diagnostic things that can be accomplished with what appears to be a single-sided TCP connection. 2. I should be able to probe, portscan, or otherwise attack my own site from any location on the internet so long as I do not create a DOS or AUP violation on someone elses network that I have an agreement with. 3. Fixing the end hosts will stop a lot more abuse than breaking the network will.
It should be possible to have a host generate special "return traffic" that makes sure that stuff that would otherwise be blocked is allowed through.I don't think it's desirable or appropriate to have everyone re-engineer their hosts to allow monitoring and external validation scans to get around your scheme for turning off services ISPs should be providing.But then you don't seem to have any problems with letting through denial of service attacks so I'm not sure if there is any use in even discussing this with you. Today, about half of all mail is spam, and it's only getting worse. If we do nothing, tomorrow half of all network traffic could be worms, scans and DOS. We can't go on sitting on our hands.
I don't propose sitting on our hands. I propose fixing the problem where the problem is. What you are proposing makes as much sense as locking up all the yeast producers to cut down on drunk driving. Sure, there are fewer yeast producers than drunk drivers and they're in business, so they're easier to find. However, just because it's easier doesn't make it correct or even logical. Yes, this is an extreme example, but, other than degree of separation, I don't see alot of difference in the approaches. Fixing the edge is harder, but, it will yield better results. Breaking the core is easier, but, will yield lots of collateral damage and won't necessarily do much more than create smarter worms. Owen