RE: Blocking worms/ddos for customer for free?

Hash: SHA1

From: Kim Onnel []
Posted At: Monday, December 06, 2004 11:46 AM
Posted To: NANOG
Conversation: Blocking worms/ddos for customer for free?
Subject: Blocking worms/ddos for customer for free?


Currently, on our ingress, we block spoofed packets, common
worms/trojans ports.

We do that for all of our customers(residential DSL, Dial-up,
Corporate DSL, and the data center hosted websites/servers),

For me there are 2 ways to look at it,
if i leave these worms to come in, they would consume our
bandwidth and CPU, and on the other hand, it looks like we're
giving a free service, which in a way uses up our resources,

Its the same for DDoS, if i stop it for a customer, i'm
giving him a free a service, if i dont, its gonna wreck my network.

Personally, i block the illegitimate packets out of my
network(egress) but thats because i owe this to the internet
community, even if i am not getting paid for it.

I would like to know other providers policy about this?

Blocking spoofed packets (inbound and outbound) is certainly a good
thing and, in my opinion should be done by providers across the

Blocking worms/trojan/whatever ports starts to get a little more
difficult. Mainly due to the fact that they often times use ports
and protocols that are valid and blocking them breaks things that are
required. At the risk of starting the whole "Microsoft stuff should
be banned from the Internet rant" I'll use the example of ports
135-139. Some people block those ports and don't get too much grief
from their customer base. Others that try to block them find that at
least some portion of the customer base complains because they have
something that relies on those ports to work. This leads many to
choose the path of least resistance and not filter.

The other challenge with filtering is that it can consume resources,
in some cases more quickly than not filtering at all. If traffic
levels are high enough filtering can melt down your router more
quickly than not filtering. This obviously depends on a number of
things and we are seeing vendors produce routers that can filter at
line rate without impacting performance or just plain falling over.
Those routers can be very expensive however and if someone isn't
paying for that additional service it can be hard to justify
upgrading to a new line card that runs an easy six figures just to
become your customer's free firewall.

Those two things said, we don't believe that we are our customer's
firewall unless specifically contracted to perform that task. That
insures that we are compensated for the resources consumed and that
we all agree on what is or is not valid traffic. All to often we
have found that valid traffic for one person is not valid traffic for
another so "firewall rules" will vary from one customer to the next.

DDOS inbound to your customer may or may not wreck your network and
what looks like a DDOS attack can be valid traffic for some
customers. I know that we handle it on a case-by-case basis with
good customer communication before we take action, assuming it isn't
wrecking the rest of our network. If it is wrecking our network then
we subscribe to the "Sacrifice the one to save the many" philosophy
and will stop the attack.

DDOS outbound from your network is again something that you need to
double check to insure that it really is a DDOS attack. In our case
if we see something that we strongly believe to be an outbound attack
or can verify as an outbound attack then we'll take action. Anomolous
traffic gets investigated to see if it is an attack or if it is
valid. That, to us, is just part of being a good net citizen and
making sure our customers don't ruin someone else's day.


- ----------------------------
Chad E Skidmore
One Eighty Networks, Inc.