[SpamCop-List] Re: Closing port 25 (Follow up)
John E. Malmberg
wb8tyw at qsl.network
Thu Jul 8 11:34:55 EDT 2004
In article <ccjm7i$red$1 at news.spamcop.net>,
Graeme Leith <glnews030922 at highspot.net> writes:
> Frog Prince wrote:
> In any case, who is to say that your ISP has implemented a symmetric
> blocking policy. It's perfectly possible for them to block ports
> outbound, but not inbound.
Or are simply blocking the ports for the known testing services I.P. addresses,
giving the ultimate illusion of security.
> That said, if you have access to a Unix box with tcptraceroute
> installed, you could write a script to trace connection attempts to a
> machine off of your ISPs network on all ports up to 1024. Then you scan
> the traces and see which get stopped by your ISPs border routers and
> which get through to the target network, even though you don't
> necessarily get a connection for them. Once you've done that, you can
> get somebody from outside of your ISPs network to run a similar scan
> against your machine and build up a full map of their inbound and
> outbound TCP firewalling.
With some ISPs, that could trigger a security alert, and possibly get the
I.P. address of the testing system/network blocked for a period of time for
all, or just a set of ports.
If I were in charge of security for a consumer oriented ISP, I would
definitely have countermeasures in place for such an attack. I would probably
have the known testing sites registered not to trigger the countermeasures.
> It's probably much easier to just ask your ISP what ports they block in
> each direction.
Some of the broadband ISPs I have had to deal with in this area have trouble
giving a correct answer. In many cases it appears that the support person
behaves like they are graded negatively on how long a call lasts, and
really bad if they have to refer a call to a technician.
I have had several help desk calls where I have caught either the first
support contact or their supervisor saying things that directly conflicted
with easily observed reality, and it was either a case where they were
making things up, or someone that trained them was making things up.
One of the things that came out of pointing out that the support people were
obviously giving me false information is that the ISPs are afraid of their
customers not understanding the reality that to manage a large broadband
consumer network, you must do certain things like blocking exploited ports,
and refusing e-mail from I.P. addresses that permit spamming or the technical
staff will be overwhelmed with problems.
And some of the broadband ISPs are slow learners about doing these steps, and
only still have customers because either they have an effective monopoly, or
their competition is just as bad, and most of their customers do not realize
that these problems are easily handled by a competent technical staff.
I have also seen on other forums were ISP employees found out the hard way that
the internal "experts" they were relying on were giving them bad information.
wb8tyw at qsl.network
Personal Opinion Only
More information about the SpamCop-List