On 2014-11-05 10:50, McDonald Richards wrote:
ISPs will be the same. Try and restrict people and youll just end up playing whack-a-mole
I agree that trying to restrict creative people from having free access will result in whack-a-mole, but common sense is needed when considering the damage that can be done with basic reflection attacks.
Should you default block the deafult SNMP port to a residential user from the Internet?
Part of the point I was trying to make is that I don't think you're going to be reasonably able to distinguish residential users any more, nor should you - the effect you can have on them is no different to the effect you can have on a business, and I'm not sure you always know which is which. Which is not to say that filtering isn't worth considering, or that providing people with an opt-out-of-filtering option isn't a good idea, it's just that I think the effects should be considered without making assumptions about the end user's use-case.
Can the CPE vendor be trusted to not leave a default "public" community with the Internet facing interface permitted?
Can the user be trusted to secure their own network devices to prevent misuse?
I've yet to find anyone, be it a home-user, business, ISP, or government, that hasn't screwed up that one at some point. :)
Which of these things is the easiest to accomplish and provides no reduction in experience for 99.95% of "normal" residential Internet users? Which of them has the potential to melt down the Internet if a CPE vendor ships 500,000+ units of equipment and leaves a door open?
Should we also bring back some variant on Telepermitting, where vendors get their kit voluntarily certified as not being open to exploitation? Another thing I believe anyone filtering traffic should do is be open about it. Detail what you're filtering, why, and how to opt out, and make it publicly available. --David