Re: [ISN] ISPs Could Block Ports to Reduce Spread of Malware (2 messages)

From: InfoSec News (isnat_private)
Date: Mon Sep 15 2003 - 00:32:57 PDT

  • Next message: InfoSec News: "[ISN] Security Rollup Planned for Windows XP"

    Forwarded from: Tony | AVIEN / EWS <tonyat_private>
    I agree with the proposal. I just recently proposed something similar
    in an article on my site.
    I think that the impact would be minimal as the ports recommended for
    blocking are not commonly used across the Internet.
    I do agree that users should be primarily responsible for securing
    their computers- however that isn't always feasible. Some of the
    recent patches for Windows 2000 for example require Service Pack 2.
    Service Pack 2 is 100Mb and takes almost an entire day to download via
    56k dial-up connection- which a majority of home users still have. So,
    while home users SHOULD be responsible for securing their computers,
    vendors should not write such flawed software that it takes patches
    and updates that are almost as big or bigger than the original
    application they are fixing.
    For cases like these, it is my opinion that the vendors should be
    required to partner with retail outlets and fund the burning and
    distribution of free CD's. Microsoft offers the larger updates on CD,
    but they charge for the disc plus shipping & handling. As a user I
    take offense that they would want another $20 from me to fix the
    flawed product I already paid for. Retail outlets like Best Buy,
    CompUSA or even Target and Walmart should be set up to download and
    mass produce the updates on CD's and distribute them free of charge to
    anyone who asks- let the vendor foot the bill to finance the
    Given that the majority of the home user market is on dial-up and
    can't reasonably download and apply the prerequisites for the current
    patches, it is unreasonable to put the burden on them.
    The ISP's should be taking proactive measures- including blocking
    these ports- to protect themselves and their patched paying customers
    from the unpatched customers. Even though I have all of the patches
    and updates I was still affected by the amount of traffic on my ISP's
    network from the infected customers. The network was effectively shut
    down from the volume of traffic. As a paying customer who did what I
    was supposed to do to protect myself, I expect my ISP to do what they
    are supposed to do to protect the whole network.
    Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ Guide for Internet / Network Security 
    Date: Thu, 11 Sep 2003 18:12:39 +1000
    From: Russell Coker <russellat_private>
    To: InfoSec News <isnat_private>
    Subject: Re: [ISN] ISPs Could Block Ports to Reduce Spread of Malware
    On Thu, 11 Sep 2003 16:03, InfoSec News wrote:
    > Forwarded from: Mark Bernard <mbernardat_private>
    > I do not agree with this recommendation for two reasons, see below:
    > First off, what about all the legitimate uses for these ports? This
    > strategy would in fact reduce and/or eliminate the functionality of
    > thousands of computers around the world. Functionality that has
    > already been sold and paid for.
    In the rare event that someone really wants to share files over the
    Internet then they can apply to their ISP to have the default filter
    turned off.  I've configured ISPs in that manner and customers have
    been happy.
    For a large ISP you could even have a web based system for
    administering firewall rules for such things.  However I haven't
    worked for a large ISP that was so interested in customer security
    (does such a large ISP exist?).
    > Secondly, this strategy in fact removes accountability from where it
    > belongs, the computer user. It is reminiscent of the early dark-days
    > of the Internet when the law makers didn't know how to assess
    > damages caused by through Internet connections so they made ISPs
    > accountable. That was a desperate maneuver that failed!
    If the user can choose between several options of firewalls then the
    accountability is still on them.  They can choose the default option
    and have those ports blocked, or they can have them un-blocked and
    take their own measures to ensure that they aren't vulnerable to such
    Having users be directly accountable for their actions is fine in
    theory, however in practise it can be difficult to achieve with even
    the most skilled users.  Imagine the scenario where someone has a
    secure machine, they go on holidays for a month in a remote location
    and forget about computers.  While they are away a security hole is
    discovered and a worm is written to exploit it.  Now how will they
    discover about security holes when they get home?  Probably from the
    Internet, but to access their email they have to go online leaving a
    window of opportunity for the worm...
    The best solution is to have some aspects of PC security delegated
    from the user to people and organizations that are better equipped to
    handle it.  I don't deal with all aspects of car safety, I rely on my
    mechanic to deal with most of it for me.  Computer users should be
    able to rely on their ISP in a similar manner.
    I think that the way ISPs would ideally operate is that whenever a new
    virus or worm is released they would block ports as appropriate to
    stop it for all their users.  So when a SMB worm is released they
    would block the SMB ports for everyone.  Then users who have fixed
    their PC (or who's PC was not vulnerable) can configure their firewall
    entry to stop blocking that port IF they need it.  Users who don't
    need that port (the majority) would never have it re-enabled and not
    miss it.
    Finally an ideal ISP would optionally scan their customers machines
    for vulnerabilities (default being to scan the machine if not
    specifically requested not to).  Then if they detect a vulnerability
    they can block whichever ports are necessary to prevent an attack
    (cutting the machine off from all net access apart from POP/IMAP if
    necessary) until the user fixes it.
    Russell Coker
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 15 2003 - 03:23:52 PDT