BCP for ISP to block worms at PEs and NAS

The issue is client-side port numbers -- those aren't rules that block
only inbound SYNs. That was clear from another paragraph of
Kristoff's post:

  Whatever worm you're trying to mitigate above (sasser?), you will
  also be occasionally be taking out TCP sessions that happen to be
  using that port. Most commonly where one side uses 5554 as it's
  ephemeral port.

The result will be intermittent, undiagnosed failures. "Why isn't that
Internet reliable? I do the same thing twice in a row and the second
time it fails."

    --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb