That depends if you are buying the 100% internet or 99.993% internet
service.
Well, if '100%' includes all the garbage traffic generated by the
worm d'jeur. On my home cable modem connection, about 80% of the
packets hitting my firewall are 'junk'. Maybe I would be able
to actually share files unencrypted using MSFT file sharing. If I can
manage to inject the necessary traffic between all the Nachia Pings and
Blaster scans.
There are 10 kinds of people in the world. Those who understand binary
and those that don't.ISPs should either block the mentioned ports, or send out bills in
binary.
No. ISPs should not block ports unless they are listed in the AUP as
non-permitted traffic or it is a necessary and temporary remedial action
for a service-affecting problem. I understand binary, but that doesn't
mean I want my bills in that format.
I still do not understand why a manufacturer is permitted to release a
product which causes such harm, and, rather than hold that manufacturer
liable, so many people feel that the entire rest of the world should
change to accomodate that one manufacturer's deficiencies.
Owen
Johannes Ullrich wrote:
Well, if '100%' includes all the garbage traffic generated by the
worm d'jeur. On my home cable modem connection, about 80% of the
packets hitting my firewall are 'junk'. Maybe I would be able
to actually share files unencrypted using MSFT file sharing. If I can
manage to inject the necessary traffic between all the Nachia Pings and
Blaster scans.
Once upon a time there was a proposal for a protocol which allowed clients to
push a filter configuration to the edge router to both classify traffic and filter
unneeded things. For reason or another, this supposedly ended in the bit bucket?
Pete
Once upon a time there was a proposal for a protocol which allowed
clients to
push a filter configuration to the edge router to both classify traffic
and filter
unneeded things.
Nice idea. I am sure clients will figure that out. As quickly as they
caught on to 'Windows Update' and 'Setting up a VCR clock'. Lets face
it: Some things are better left to the "experts".
No. ISPs should not block ports unless they are listed in the AUP as
non-permitted traffic or it is a necessary and temporary remedial action
for a service-affecting problem.
I fully agree that ISPs should include the list of blocked ports in
their AUP. (somewhere in the paper it mentions the confusion caused by
uncoordinated filters).
I still do not understand why a manufacturer is permitted to release a
product which causes such harm, and, rather than hold that manufacturer
liable, so many people feel that the entire rest of the world should
change to accommodate that one manufacturer's deficiencies
But should the end user pay for the faults? They already pay
for the software and the Internet connection. How many ISPs on this list
provide support for non-MSFT operating systems? Does the free CD you
hand out run on anything but Windows?
90% + of internet users do use MSFT Windows. So I don't think you have a
choice other than to "live with it".
Owen,
Owen DeLong wrote:
Sorry... "Millions of vulnerable users" are only vulnerable because those
users chose to run vulnerable systems. They have the responsibility to
do what is necessary to correct the vulnerabilities in the systems they
chose to run.
Most of them don't know any better than to run what they've got. Computer users, by and in large, are not at all educated in the nature of what their running, or the potential issues due to running Windows. Who tells them that they shouldn't run Windows?
This is akin to driving a pinto, knowing that it's a bomb, and expecting
your local DOT to build explosion-proof freeways.
Your analogy is flawed. The problem is, most people don't realize that:
1.) Windows is as flawed as it is,
2.) That there are real alternatives.
But, I suspect, this has gone far off the topic of Operations. Take this off-list; there's nothing to be gained from this discussion any further.
ObOperational:
Did anybody see some strange latency on UU.Net yesterday in the Chicago area?
Gabriel
> Some businesses have create an entire industry of outsourcing Exchange
> service which need all their customers to be able to use those ports.So should everyone else be required to keep their doors open so they can
offer the service? Who is wrong/right? Millions of vulnerable users that
need some basic protection now, or a few businesses?
If a user needs protection, it is up to user to get it.
It is just like one wants to go and screw everyone who walks past him/her,
it is up to him/her to make sure that he/she uses condoms, not for everyone
else.
Alex
> Even on Windows they can be used in a much safer fashion (although I would
> never attempt it for any of my stuff). It is possible to use IPSec policies
> on 2000 and higher to encrypt all traffic on specified ports to specified
> hosts/networks and block all other traffic. I bet some people are using
> this to join remote locations securely to each other for Windows networking
> with these ports and IPSec policies.If you explain the difference between "IPSec", "The Web" to
an end user, and can convince them that they have "enough
Pentium" for it, you win and don't have to block the ports.
That is rubbish. Users do not care about "IPSec". Neither do they care about
anything else but having everything work.
> There are 10 kinds of people in the world. Those who understand binary
> and those that don't.ISPs should either block the mentioned ports, or send out bills in
binary.
I encourage my competitors to block as many ports as they possibly can,
breaking as many applications as they possibly can, since I would gladly
take have their users to pay me money to provide the service.
Alex
you mean like 'using a computer' ?
Johannes Ullrich wrote:
90% + of internet users do use MSFT Windows. So I don't think you have a
choice other than to "live with it".
I wonder if there would be a market for "Windows Outside" ISP.
Pete
you mean like 'using a computer' ?
hehe... yes! if you insert the word "securely" at the end.
Case in point: I helped my neighbor last weekend to diagnose a printer
issue. Another problem he had was that his computer always "rebooted"
and never "shut down". He just never read/understood the shutdown dialog
and it never ocured to him that the radio buttons do anything.
Its hard these days. But I HIGHLY recommend for everyone to get out of
your server closets, enjoy the sun, and talk to non-techies once in a
while. Or: spend a couple hours answering the front end customer support
calls if you can't remember where you parked your car.
Sorry... "Millions of vulnerable users" are only vulnerable
because those users chose to run vulnerable systems.
no, they chose to run popular/... systems. they do not know
what vulnerable means, let alone how to judge it. pinto owners
did not make a conscious choice of buying a bomb.
randy
But should the end user pay for the faults?
The end user is angry because lashing out at the manufacturer gets you routed to a null interface 
why should the ISP pay? (Now that is the question)
They already pay
for the software and the Internet connection.
Do you call Microsoft when your "internet" connection is down? (msn.net customers exempted)
How many ISPs on this list
provide support for non-MSFT operating systems? Does the free CD you
hand out run on anything but Windows?
I think they only support their application (the one they want you to dial-in with) over this operating system, nothing else (meaning the OS itself and this is mostly for residential users, nothing was given to me when I had my last optical circuit handed over...wait let me check...nope nothing).
90% + of internet users do use MSFT Windows. So I don't think you have a
choice other than to "live with it".
Wow only 10% of "internet" connected systems are "other than"...!!!!!!
I think that it is ridiculous to expect the ISP now to start filtering these ports. The "internet" in itself is nothing more than a communications link, and the ISP's are providers to this link. The purpose of which is the exchange of information over a "public" medium.
You want an ISP to begin filtering at the 4th layer (OSI Reference...yikes), why??? Besides alleviating the headaches of some users of a specific manufacturers product, it makes no sense.
What would you filter? Before you filter you need a policy in place. For this idea to even be effective you would need a policy that is acceptable among all ISP's, (HA HA HA). Next you need all ISP's to implement these policies consistently and equally throughout their infrastructure (scary).
Now you go back to your firewall logs and poof!!!!! Still allot of junk (different junk, but nonetheless junk)!!!! You think it will stop there??? Human nature is suitable for adaptation...now what??? More filters......makes no sense....so there will be no more free exchange of information over a public medium?
Since only 90% of internet users use MSFT Windows we should make it a Microsoft friendly network then. Plug and Play your heart out!!!!!!
G.
Johannes Ullrich writes:
No. ISPs should not block ports unless they are listed in the AUP as
non-permitted traffic or it is a necessary and temporary remedial action
for a service-affecting problem.I fully agree that ISPs should include the list of blocked ports in
their AUP. (somewhere in the paper it mentions the confusion caused by
uncoordinated filters).I still do not understand why a manufacturer is permitted to release a
product which causes such harm, and, rather than hold that manufacturer
liable, so many people feel that the entire rest of the world should
change to accommodate that one manufacturer's deficienciesBut should the end user pay for the faults? They already pay
for the software and the Internet connection. How many ISPs on this list
provide support for non-MSFT operating systems? Does the free CD you
hand out run on anything but Windows?90% + of internet users do use MSFT Windows. So I don't think you have a
choice other than to "live with it".--
--------------------------------------------------------------
Johannes Ullrich jullrich@euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
"We regret to inform you that we do not enable any of the security functions within the routers that we install."
support@covad.net
--------------------------------------------------------------
Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)
Hi, Johannes.
] Its hard these days. But I HIGHLY recommend for everyone to get out of
] your server closets, enjoy the sun, and talk to non-techies once in a
] while. Or: spend a couple hours answering the front end customer support
] calls if you can't remember where you parked your car.
While non-techies can be a support challenge, I find the greatest
challenges and demands come from the very techie customers. These
are the same customers that don't want to hear "the outage happened
because we put a new filter on the peering router...to protect you
from outages caused by worms!"
Although it sounds logical to say "some filters are better than no
filters," this presumes that "some filters" have no adverse side
effects. We all know better. Bugs aren't restricted only to
products from Redmond, typos happen, and the performance hit can
be quite painful. You say that putting these filters in place
will reap financial reward? Where is the data to support that
theory? Most contracts include credit or refund clauses if the
link goes down or if the performance doesn't meet a certain level.
Failure to meet these clauses results in credits to the customer,
refund to the customer, or the customer leaving for a competitor.
Convincing a business to take a risk - a *fiscal* risk - isn't as
easy as saying "this will stop worms." All of the cost data I've
seen related to worms is either clearly overblown or is based on
a paucity of data. I'm not saying these things don't have a cost;
I am saying that the cost hasn't been realistically quantified.
Of course all of this is hand-waving until the market places
security above other requirements, such as increased performance
and shiny new features.
Thanks,
Rob.
> Once upon a time there was a proposal for a protocol which allowed
> clients to
> push a filter configuration to the edge router to both classify traffic
> and filter
> unneeded things.
Nice idea. I am sure clients will figure that out. As quickly as they
caught on to 'Windows Update' and 'Setting up a VCR clock'. Lets face
it: Some things are better left to the "experts".
If the clients don't figure it out, they get the default, which can be as
permissive or as restrictive as make sense for people who can't figure out
how to control filtering.
DS
Rob Thomas <robt@cymru.com> writes:
;; Hi, Johannes.
;;
;; ] Its hard these days. But I HIGHLY recommend for everyone to get out of
;; ] your server closets, enjoy the sun, and talk to non-techies once in a
;; ] while. Or: spend a couple hours answering the front end customer support
;; ] calls if you can't remember where you parked your car.
;;
;; While non-techies can be a support challenge, I find the greatest
;; challenges and demands come from the very techie customers.
YES! Often it's the case that they A) don't fully understand the
problem but B) feel they have the "perfect" solution anyways.
"non-techies" will defer to your judgement, "demi-techies" will
require bulletproof reasoning for not doing things their way. I
hate when that happens. Especially when the reasoning is indeed
suboptimal and not by (my) choice or under my control.
Peace,
Petr
While non-techies can be a support challenge, I find the greatest
challenges and demands come from the very techie customers. These
are the same customers that don't want to hear "the outage happened
because we put a new filter on the peering router...to protect you
from outages caused by worms!"
The paper talks about "consumers" defined as "home users or small
business without dedicated IT staff". These filters should be clearly
stated as part of the subscriber agreement. Many filter problems are
the result of inconsistent and rushed implementation.
You say that putting these filters in place
will reap financial reward? Where is the data to support that
theory?
I admit: I do not have "hard numbers". But all the calls to support
about slow connections, or dealing with all the abuse@ complaints
has to cost something.
Most contracts include credit or refund clauses if the
link goes down or if the performance doesn't meet a certain level.
given that (a) the customer knows ahead of time about the blocked
port, and (b) blocking the port may actually reduce the impact
of the occasional worm, your argument proofs that there may be
a financial benefit.
All of the cost data I've
seen related to worms is either clearly overblown or is based on
a paucity of data. I'm not saying these things don't have a cost;
I am saying that the cost hasn't been realistically quantified.
yes. I am not using any of these numbers to support my issue.
But answering support calls, handing out refunds, and dealing
with abuse email does cost money.
such as increased performance and shiny new features.
Well, performance should if anything improve. At this point, my cable
modem which I use for regular web browsoing is seeing about 80%
"unsolicited" traffic. Not that the bandwidth impact is huge. But I
rather use it to speed up my pr0n downloads then to waste it on
pings/port 135 probes/arp storms...
And someone is paying to move all these packets across the wire. After
all: Thats what we all agree on. We are paying ISPs to move packets.
[snip]
effects. We all know better. Bugs aren't restricted only to
products from Redmond, typos happen, and the performance hit can
be quite painful.
In my experience more network downtime is caused by configuration errors that all other causes together.
The best diagnostic tool I've ever had is a script I cobbled together over two hours one night. Once an hour, it simply collected all the router configs across the network, did a 'diff' between the current and last config, and if there were changes, emailed them to me, along with a TACACS+ log summary that showed who had logged into which router when.
Experience with this quickly taught me to check these summary change logs whenever a problem was escalated to me. Most times the problem was related to a config change, not an external cause. Further experience taught me to look out for one particular engineers name in the logs but that's another story.
The best diagnostic tool I've ever had is a script I cobbled together over two hours one night. Once an hour, it simply collected all the router configs across the network, did a 'diff' between the current and last config, and if there were changes, emailed them to me, along with a TACACS+ log summary that showed who had logged into which router when.
There are a couple of tools I know about which will do the first part (the config diffing part). Both are easy to extend if you wanted to include other bits (such as tac-plus log summaries).
Shrubbery Networks, Inc. - RANCID
http://buffoon.automagic.org/dist/ciscoconf-1.1.tar.gz
I wrote ciscoconf. I would recommend that everybody use rancid instead.
Experience with this quickly taught me to check these summary change logs whenever a problem was escalated to me. Most times the problem was related to a config change, not an external cause. Further experience taught me to look out for one particular engineers name in the logs but that's another story.
Amen to all that.
Joe
Gerardo Gregory wrote:
these ports. The "internet" in itself is nothing more than a communications link, and the ISP's are providers to this link. The purpose of which is the exchange of information over a "public" medium.
You want an ISP to begin filtering at the 4th layer (OSI Reference...yikes), why??? Besides alleviating the headaches of some
Hmmm. Perhaps I should shut down my abuse desk and just be a communications link. After all, the user's computer wants to transmit viruses or spam, so why should I stop it?
If people run layer 7 filtering to stop abuse, what makes you think they won't run layer 4 to meet the same goals? A lot of networks already run layer 3 filtering for misbehaving networks and bogon filters. Spam filtering takes place at anywhere from 3-7, depending on the network.
One can't have it both ways. You either do no filtering and watch the system completely crash as you can't afford the overhead of the malicious content which is on the rise, or you apply filters to protect your network and *the* network overall. Not filtering consumer networks will cause issues at the backbone networks, forcing upgrades and driving prices back up.
If we don't protect *our* network, then some governments will start mandating how they'll protect it. I for one do not wish to give up control of what I've designed, built, and improved to people who usually don't know what telnet is, much less ssh.
-Jack