[Techtalk] question around port filtering, etc.

Raven, corporate courtesan raven at oneeyedcrow.net
Thu Aug 23 10:19:26 EST 2001

Heya --

Quoth Michelle Murrain (Thu, Aug 23 2001 at 08:46:36P -0400):
> I've got high-speed internet access through a cable modem provider. For a 
> while, I was able to run a web server w/o any problem (using Dynamic DNS). 
> It is against their rules, but...
> Anyway, I had noticed they'd been portscanning me for a while (I was using 
> snort). I didn't think much of it, until yesterday I found out that they 
> are now filtering specific ports, including port 80, so people can't get at 
> my web sites. 

	The odds are very high that they're not filtering because of your web server.  This is something that many cable modem ISPs have decided to do to combat Code Red.  In the last three weeks, a majority of the cable modem providers in the US have sterted filtering ports 80 and 25 from their customers.  Since running servers is usually against the AUP anyway, you can't really complain to them that they're blocking what you aren't supposed to be doing.

	Are you sure that the people doing the portscanning was your provider themselves, and not just someone else on their network?  Lots and lots of script kiddies love @Home, Roadrunner, etc.

> I have now decided to move to getting business DSL, because I 
> really want the ability to host my own web sites, but that might take 
> months. In the meantime, I've changed the port that httpd is listening to - 
> and it's working, for now. I'm sure that they'll start filtering that port 
> too at some point.

	I would almost always prefer DSL over a cable modem, if available.  The cost difference (at least in my care) isn't that much, and you have a dedicated local loop rather than a shared segment sometimes (depending on who your provider is).  Also, there are DSL providers out there who actually encourage you to run servers off your DSL line, rather than prohibiting them in the AUP.  Speakeasy.net is particularly good about that.  Be careful when choosing a DSL provider, because some of the providers of home DSL (Earthlink) are filtering ports 80 and 25 also.  If you're running a server, go with someone who will let you do that in the AUP.

	(AUP = Acceptable Use Policy.  It's the terms of service contract that you have to sign when getting connected with a new provider.)

	So unless they're specifically targeting your web server, they probably won't bother to filter out the new port it's running on.  Too much bother.  You run more of a risk if you've chosen a port that corresponds to some other well-known service (for example, if you have it listening on port 53 or 21), but if you picked something like 3042 you're probably safe.
> So this is my question: Is there any way to fool them about what port httpd 
> is running on? There is nothing essential right now on the web site, but 
> I've got a fair number of web programming projects that people are beta 
> testing, or using for minor projects, and telling them what port to go to 
> every other day is a pain, to say the least. 

	You can set up a firewall that will return tricky packets and such, but it's probably not worth the bother.  For example, our firewall at home is set to deny any traffic sent on ports it doesn't accept, but it will return one ACK packet with correct sequence numbers.  So a machine portscanning us will see every port "open", but they'll be unable to connect to any of them.  It crashes a couple of Windows-based portscanners by using up all their available buffers for connections.  It's great.

	So, you can fake "this port is listening for TCP connections", or you could return some fake Apache-like traffic on a port that isn't actually your web server, but your web server has to respond properly on the port it's actually listening on, or browsers will be unable to access your web pages.

> It would be nice if I could just set a port, and that 
> port would work for the duration until I got new service.

	You probably can.  Unless you have violated their abuse policy in some flagrant way or have an unusually proactive ISP, they're probably not targeting you in particular.  Code Red and SirCam are eating up the time of most abuse desks and security folk.

"A man's homeland is wherever he prospers."
 -- Aristophanes, "Plutus", 388 B.C.

More information about the Techtalk mailing list