Security or Freedom?

[iago]

Lately, when I've been doing portscans, I noticed that certain ports were blocked.  I emailed my ISP about this, and they responded with a beautiful generic message:

Reasons for port blocking

Over the last few years, the volume of Open Relay Email Spamming and Network Viruses has increased dramatically. Customers and ISP's are directly affected by this continual onslaught of junk Email, Network-based Virus Scanning and Attacks. A number of ISP's worldwide are combating these costly and time consuming annoyances with the use of Port blocking.

MTS has blocked specific service ports (see below for the list of service ports) on the Residential HSI and dialup networks. These service ports are not normally used by Residential subscribers as well as being prohibited based on our Terms and Conditions for Residential Services (click here to view the terms and conditions web page). Having the appropriate ports blocked will save these users from the ongoing port scanning and potential vulnerability encountered by having these ports exposed (Please keep in mind that VPN tunneling would by-pass port blocking and would not be limited).


Simple Mail Transport Protocol, port 25 TCP

Restricting the flow of direct outbound mail will aid in reducing the amount of Spam delivered directly to foreign systems and force all mail delivery to flow via our mail gateways. By not having this in place, our customers computers are being fraudulently used to delivery millions of messages directly to other providers such as AOL, Hotmail and Yahoo. This in turn has resulted in the MTS domain being placed on backlists at AOL as well as Hotmail and Senderbase. By forcing mail through our mail gateway we are able to track and police this traffic as well as filter it via Brightmail prior to sending in on to the foreign domain. The MTS smtp server
(smtp.mts.net) will be the only available SMTP server available to Residential HSI and dialup customers. SMTP is blocked in both directions for this subscriber base.


Microsoft Service ports

These services were designed for use over secure local area networks and not the hostile environment of the Internet. These ports are blocked in both directions for the Residential DSL and dialup subscriber base. Please note that this will not affect the return ports (Example: The dynamic Ports, 1024 or greater, when used to return traffic to the subscriber)


Ports Service Name
135 TCP UDP MS Exchange
137 TCP UDP MS Net BIOS RPC (Remote Procedure Call), File & Print sharing 138 TCP UDP " 139 TCP UDP " 445 TCP " 1433 TCP MS SQL 1434 UDP "


Virus Back Doors

These ports are commonly used by today's popular viruses as back doors to infected computers. This allows the virus creator or hackers, access to these infected computer systems to access files or to use them as a "Zombie" to perform DOS (Denial of service) attacks on Internet locations. These ports are blocked in both directions for the Residential DSL and dialup subscriber base. Please note that this will not affect the return ports (Example: The dynamic Ports, 1024 or greater, when used to return traffic to the subscriber).


Ports Description
1025 TCP Commonly used by a variety of Viruses Backdoor
3127 TCP MyDoom backdoor
6129 TCP DameWare Remote Admin Software (Impeded into Viruses) 8998 TCP Sobig Backdoor 9996 TCP Sasser Backdoor 27374 TCP Subseven Backdoor

The thing is, I'm not sure how to feel about it.  Well, I do, but I'm going to take this from both sides first.

Here, you can find a graph of internet traffic for a single day last week:
http://javaop.clan-e1.net/~iago/images/irabasic.jpg

Out of the top 10 ports for that day (and this is pretty consistant), at least half of them are caused by worms (probably all of them are), and my isp blocks all of those.  At work, we have IDS (Intrusion Detection Sensors), and we get probed by SQL Slammer about 80,000 times/day, and Red Alert, Sasser, and others are close behind.  Also, spam email relays are everywhere, and it's a HUGE industry, so I can understand blocking SMTP (they have their own SMTP server that we are free to use with your preferred email address).

But here's the thing: is it really up to the ISPs to take care of our security?  And do they have any right to block our ports and police us? 

I think it is.  Because there are obviously 80,000 computers, mostly unique, that probe us daily, and that's an awful lot.  Obviously the people who are looking after the servers aren't doing anything about it (and this was almost a year ago, it will be in January)  <edit> I read the year wrong, it'll be 2 years in January, this was the beginning of 2003</edit>.  Somebody really has to take the initiative and help reduce the number of threats that are taking up tons of bandwidth, not being controlled by any person, and serving no useful purpose except for creating more of the same.

Besides port 25 (which I'm against blocking), not one of those ports has any useful purpose remotely, only within a trusted network.

So I'm happy with my ISPs decision to cut down on the number of viruses sent.  How do others feel about this?

[quasi-modo]

I feel that the isp should not block ports. I think it should be a users decision. But if they provide a router or hub the ports should be blocked by default, but the user should have the ability to unblock them. I do not know if they would be willing to allow a user to configure their modems though. My ports are all stealth, which is because of my isp I believe.

[Grok]

If the ISP blocks ports, they are opening themselves up to lawsuits.  If they fail to block ports that an application uses to attack a client, but they block ports that I would use on which they say are "dangerous ports", I would sue them at the first opportunity.

Why?  Because a port is nothing more than a value in two bytes.  Blocking data at the ISP router level, based on that value is stupid.  It turns your ISP into a content provider.

[j0k3r]

I believe it should be up to the client to choose whether they want their traffic controlled by their ISP or not. A network administrator or knowledgeable computer user would be able to do it themselves, while a lot of casual users would find the option very useful.

[Yoni]

The best thing an ISP can do: Block evil ports, and unblock them at user request.

If the user doesn't care about the blocked ports, he doesn't need them and the fact they're blocked protects him. Otherwise, they can be unblocked.

Does any ISP do that?

[Grok]

The best thing an ISP can do: Block evil ports, and unblock them at user request.

If the user doesn't care about the blocked ports, he doesn't need them and the fact they're blocked protects him. Otherwise, they can be unblocked.

Does any ISP do that?

What's an evil port?  Seriously, evil bit aside.  A port is not a different wire on which data travels, it's just a value of a couple bytes of any given packet.

[Thing]

While I feel that the ISP has the right to do whatever they want with their network, I also feel that selective port blocking is futile.  Lusers that continue to use insecure software and open every email attachment with no regard for the consequences, get what they deserve.  Then they can pay me to fix their crap.  I love Microsoft products and the authors of evil software that wrecks them!  The continued havok created by using M$ products is paying to remodel my new office.  That reminds me, I need to get some pics of the Nexus.

P.S.  The networks that I manage rarely have infection troubles.  I maintain the machines with an anal attention to detail and have regular meetings with the employees to educate them of network security.

[iago]

Grok, you're talking about layer 1, the physical layer.  Yes, it's just a bit and a piece of Data.  The port is even a piece of data at the ip layer, but on tcp it's a place where the data goes, and some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

But when I was thinking of this in terms of the layers in the OSI Model, I had a thought -- I wonder which layer my ISP filters it at?  If I can specially fragment the packets (which I believe is layer 2), perhaps across the address, it might let each fragment through.

<edit> Thing -- it's futile, yes, but it helps.  If every isp (or even many isps) filtered ports at the tcp or ip layer (not the physical layer like Grok suggests), it would help.

[Thing]

http://www.protocols.com/pbook/tcpip1.htm

Recently, I considered port blocking at my edge router.  The more I thought about it the more I realized what a pain in the ass it would be to maintain so I blew it off.  Port blocking doesn't solve the problem, it just reduces the symptoms.  If we are to only block evil ports then we need to block every one of them.  Any port can be used for evil deeds!  I'll just turn off the Internet now and everyone will be safe.

[iago]

At my work, we force all traffic through a proxy which allows 21, 22, 80, and 443, and I think that's it.  I would kill my isp if they did that, though.

Incidentally, I've been emailing back and forth at my isp complaining about it, and getting generic responses that don't address any of my questions.  But it's fun anyway.

[Grok]

some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.

[iago]

some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?  It's a convention used worldwide on every computer connected to the internet, so it's perfectly reasonable to identify and filter ports based on the services they provide.

[Grok]

some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?

Yes.  Now you're getting it.

[KrisL]

Keeping in mind that the majority of computer users wouldnt be able to follow this conversation going on here, it is smart for the ISP to block ports for them, however I DO NOT agree that they should do it without user consent.  Thats pretty much them saying the WE (the users) do not know how to handle our own system security and that they are going to do it for us whether we like it or not.  While this may be the case in the majority of users, there are users who are confident and comfortable in their own security measures.  I believe it should be posed as an option to each user.  Just like when you install a program you can choose "typical" installation or "custom" (advanced users only), I believe this should be applied to this situation.  A "would you like us to block unused (or typically unused) ports that could prove dangerous when left open?" would be both smart and appreciated.  So all in all, the concept is smart on a large scale, but I dont not feel that is the proper way to go about doing it.  Just my two cents.

[iago]

some of the ports have no reason to be used by outside parties.  By convention, all communication on the internet goes over tcp/ip, and on tcp/ip, the bytes that you speak of are the ports, and some ports are dangerous and useless.

No offense intended here, but that is stupid to say.  A value of a port cannot be dangerous.  Ports are not dangerous.  Ports are not useless.  It's like you're saying the number 9 is scary and should be banned.  Oh, and the numbers 8143, 19226 and 38019 should be put on the scary watch-list.

I assume it's just as stupid to say that the number "53" gives us addresses and that the number "80" gives us webpages?

Yes. Now you're getting it.

Based on the fact that we can't match ports to programs, how do you recommend setting up a firewall?  Just block everything because we don't want to let anything back through, or block nothing since we never know what port something is going to use?

If we block specific ports (which they all do, except for ones that try to do protocol analysis and suck), then we're following the convention that is used everywhere else in the world and it'll work out.