On Mon, 21 Mar 2005, damien hull wrote:
> ACS filters their traffic and blocks a lot of things. I tried port
> scanning a clients network and got back a lot of "filtered" replies. The
> client was on GCI so I called tech support and they told me they don't
> filter anything. That's when I realized the problem was ACS.
>
> I'm on GCI now.
Clearly, I do not speak for my employer, but I figured I'd take the
bait here as an individual.
First, the filtering that Damien's describing and the IP block that
Joshua is experiencing are of different kinds: the former is
network-based and probably at our borders, and the latter is
application-based and solely an MTA configuration.
Second, Damien -- if you were just doing the port scan to see what was
running, then yes, unfortunately, you will not be able to probe your
client's network remotely in order to determine whether or not they
have anything listening on those ports. This is a side-effect of the
filtering, and there's not a lot that can be done to work around it
other than initiating the port scan from somewhere topologically
closer to your client.
If, however, your client actually has/had some service running on some
port that isn't widely exploited and that's perfectly safe running
over the public Internet, I'd be very interested in hearing the
specifics about it. While I'm not in charge of our network-level
filtering, I can certainly mention any problems to those who are.
As I understand it, ACS is only blocking the 135-139 known Microsoft
stuff, MS SQL on port 1433, and a couple of other widely-exploited
ports -- all stuff that people stop doing over the public Internet
once they understand the implications.
In other words, if your scan wasn't just for general scanning
purposes, and your client is/was doing any of those things over the
public Internet, you probably should have advised them to stop doing
it, IMHO. Again, this only applies if your scan wasn't just generic.
With the rate of infection out there, ACS has had to start filtering
on the major attack-vector ports out of sheer self-defense. Frankly,
if GCI isn't doing this kind of forwarding, they must get a lot of
complaints about spam originating from systems infected in their
customer base. If you follow what the big ISPs are having to do to
reduce how much spam they're spewing, ACS's blocking of NetBIOS, etc.
is peanuts compared to what some have had to do.
-royce
-- Royce D. Williams - IP Engineering, ACS personal: [first]@alaska.net - PGP: 3FC087DB/1776A531 work: [first.last]@acsalaska.net - http://www.tycho.org/royce/ --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Mon Mar 21 15:08:01 2005
This archive was generated by hypermail 2.1.8 : Mon Mar 21 2005 - 15:08:01 AKST