To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- >> Not once did we have someone actually notice which ports we were blocking >> outbound on the CPE.
> Would this approach scale effectively for very large ISPs? For example, I > know my ISP (rogers, a large cable provider in Canada) is kind enough to > block several ports for me. These ports include 25, 113, mssql, etc. No ... it probably wouldn't scale well. We would usually only take this step if we happened to notice crazy numbers while troubleshooting something else or if someone called in about slow response time. This approach was less draconian than shutting them down. The usual suspects that we blocked were the 135..139 range and 445. This shuts down a good deal of the automated infection type scans with little or no effect on connectivity. IRC was another but we left that one alone for the most part. It is mainly used for the C&C. The reason they block the ports you mention could possibly be that they have a multi-tiered service offering, i.e., they charge more for a business account, which leaves all ports open. For home use they would block VPN ports and what not. > Calling up the customer support and requesting they unblock the ports is > useless. You need to get up a couple of levels in the support tree before you're going to hit a warm body that knows what's up. Try just shooting for Tier II support when you hit a human voice. If folks made it through to me with these types of requests I always helped them out. > Furthermore, their service allocates IPs dynamically so blocking (or > unblocking) would be difficult to track properly. When a CPE was in place I would log in there and do the filtering on their end ... when they had a dumb device at their end I would block at the interface at our end of the link. Most/[All?] DSL and cable links land on some type of logical interface in a router somewhere so we would slap an ACL on there. We never filtered by IP ... just ports. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
