Defeating Firewalls: Sneaking Into Office Computers From Home

Wrong, there are simple lists available and are often used in RBL's - we use the residential block list to block inbound SMTP to our servers as we don't have any reason for a residential customer to send us email from their workstation, the ISP's SMTP servers are almost always not included in the residential network lookup lists.

This is an interesting list, and technically is correct in most aspects (the comment about "synchronous ... for multimedia" isn't right).

However, there are some *very* serious "gotcha's" in this too. Most services provided over what might be called a "T1", may or may not be technically what is being reference as a T1!

For example, a T1 that is provision through a provider's Frame Relay cloud, might not provide the stated benefits. That isn't technically just a T1, but is almost always called a T1 today.

Significant, and correct for anything likely to be called a T1.

That is probably not quite true, though the issues are less serious than with DSL or Cable provisioned services. A Frame Relay Cloud still has the same potential insider security issues...

True.

Unless of course it is part of a Frame Relay Cloud. (I once saw a carrier install a Frame Relay Point-of-Presence, and then sell

6 different customers guaranteed bandwidth circuits equal to the backbone! ;-)

Probably true, but it can vary significantly if any part of the T1 is on Frame Relay or Cell Relay (ATM) backbone services.

Being synchronous or not doesn't affect the order that frames are received in. Regardless, virtually all T1's ride T3's, and thus become isochronous and suffer from higher clock jitter than a genuine point to point T1 over a wire facility would have.

Two out of three. It certainly has a bandwidth cap. Moreover it it is provision on Frame Relay or Cell Relay there will be just as many wierd bandwidth specs as one can imagine (burst, guaranteed, etc.), and might well be affected by how much other customers are using.

:Comcast wants :to be a cheaper alternative for business internet, than :T-1 service. I know that when it does launch, the :high-end business version of Comcast will have :8 megabits download, and 1.5 megabits upload. : A T-1 would never reach 8 megabits, and :would likely cost a lot more than the Comcast :business-level internet that is about to be :introduced. And that will include a static IP :and will allow servers.

That kind of business cable is available here [Winnipeg Canada] for about 1/8th of the price of a T1 -- less than $US100 compared to about $US1000 for T1. 10 megabit burstable fibre has been available for years here for about $US250. And yet there are still quite a few T1 providers.

People around here don't buy T1's for -speed-. Reasons why they do buy T1 include:

- T1 provides symmetric bandwidth (SDSL is not very common here)

- T1 is point to point and thus does not have the security issues that one has when one is connected to the Internet

- T1 are available -most- places that phone land-lines reach -- the required infrastructure having existed for long enough for very good saturation.

- T1 do not degrade with congestion from other users on your block (a significant problem with cable!)

- T1 have fixed latency and bandwidth, not variable as cable has

- T1 is synchronous and thus suitable for multimedia applications that degrade when frames are received out of order

- T1 has no bandwidth caps, content filters, forced http proxying,

What is the definition of a "residential IP"?

-Frank

I know what RBLs are about... for mail. "Real-Time Blackhole List". But where do you find the databases listing residential IPs?

-Frank

So... it's a secret?

-Frank

NO! You merely have to ask... *every* ISP in the world.

That is one reason why business-level cable costs a lot more, you are not sharing your connection with other people. That put one connection to a head-end. That is why it is more expensive, and why they can allow servers on such a connection. I dont know what Comcast will charge, but I know that RoadRunner has it in some markets for $155 per month, quite a bit less than a T-1 line.

What's poor about it - almost every ISP has a rule that prohibits residential users from running their own email servers, and since every residential user can push through their ISP's mail server even if they use their own internal email server, there is no reason to allow residential addresses to send SMTP. The real issue is the sooooo many residential users machines are compromised with viruses that have their own SMTP engines that anyone not blocking SMTP from residential addresses is a fool.

A residential IP is considered a ISP's range of Dynamic Addresses that they designate for non-commercial customers. Almost every ISP has a range for "residential" users that is different for "Commercial" users, and the nice RBL lists (ones that do Dynamic) identify these very nicely.

There are also RBL's that do each country, that do the residential, that do the Dial-Up users ranges for ISP's, and then known spammers on commercial accounts....

You might want to look up what RBL's are about.

By understanding the RBL's and how they were formed - in most cases, if you follow the RBL back to the site that hosts it, or the master site for the particular RBL, they will give you the ranges. If you search you will find.

He's not the first to do so - by a LONG stretch. The Linux 'HOWTO' dates from 1998, and actually builds on an older document from 1996 or thereabouts.

IANAL - His 'Disclaimer' section at the bottom of the paper can be considered as wiggle room. He also has a slightly stronger version of the disclaimer on the URL page he was posting. Is that enough to ensure avoidance of legal action? HTFSIK! IANAL - consult your own lawyer in your local jurisdiction.

Old guy

If the hell desk reports one of our users having problem connecting with a specific service, we'll be happy to investigate. I don't think it has happened more than a couple of times in the twelve years we've had this policy.

The others have pointed out the RBLs - perhaps you should have a look at them.

Works for us - though I know the three divisions in the San Francisco bay are have a MUCH harder row to hoe. One of the "ISPs" was a free community service operated by volunteers using a couple of addresses loaned to them by Nat Semi.

Again - works for us.

Perhaps you'd want to re-read this.

You'll never know until you look at your logs, will you.

Old guy

If you can find a means of querying ARIN (the Regional Internet Registrar assigned to North America), you'd find a whois query for the word COMCAST yields over 250 netblocks. Many of these are labeled as

Comcast Cable Communications SACRAMENTO-7 (NET-24-2-32-0-1) 24.2.32.0 -

24.2.63.255 Comcast Cable Communications SACRAMENTO-8 (NET-24-7-128-0-1) 24.7.128.0 - 24.7.191.255 Comcast Cable Communications SACRAMENTO-9 (NET-24-10-0-0-1) 24.10.0.0 - 24.10.127.255

and it should be obvious to you that this doesn't even include your block in the 67.160.0.0/11 range. That same list includes no less than 79 blocks listed similar to

Comcast Business Communications, Inc. CBC-BALTIMORE-1 (NET-64-139-92-0-1)

64.139.92.0 - 64.139.92.255 Comcast Business Communications, Inc. CBC-BALTIMORE-2 (NET-66-208-208-0-1) 66.208.208.0 - 66.208.211.255 Comcast Business Communications, Inc. CBC-BALTIMORE-3 (NET-66-208-212-0-1) 66.208.212.0 - 66.208.212.255 Comcast Business Communications, Inc. CBC-BALTIMORE-4 (NET-66-208-214-0-1) 66.208.214.0 - 66.208.214.255

and

Comcast ATWORKHFC-NJ (NET-64-232-72-0-1) 64.232.72.0 - 64.232.73.255 Comcast ATWORKHFC-PA (NET-64-232-220-0-1) 64.232.220.0 - 64.232.221.255

See the response from Walter Roberson of NRC. Comcast is actually rather late into the market compared to Verizon (nee Bell Atlantic), and AT&T, or even PacBell.

and be on a different IP block.

Old guy

Either way, I agree with others that this is like pissing into the wind. Lots of trouble for very little gain and very likely to have a ton of "false positives", meaning, you can't tell by the IP someone is issued by their IP if they will send spam or other malicious code, or be hackers.

Sure, you can block everyone that you think has POTENTIAL to send spam or be hacker, but you will be blocking one hellovalot of valid IPs at the same time. Your choice. But somewhere there has to be a balance of function verses security. Blanket IP block blocking seems insane to me.

-Frank

:> - T1 do not degrade with congestion from other users on your block :> (a significant problem with cable!)

: That is one reason why business-level cable :costs a lot more, you are not sharing your :connection with other people. That put one :connection to a head-end.

If I recall correctly, around here they use -smaller- clusters for business, but do not promise an exclusive circuit.

:That is why it is :more expensive, and why they can allow servers :on such a connection.

Servers or not is partly a matter of market differentiation. The transfer limits for the entry business-class cable service are

-lower- than the transfer limits for residential service.

In article , Walter Roberson wrote: :Servers or not is partly a matter of market differentiation. :The transfer limits for the entry business-class cable service are :-lower- than the transfer limits for residential service.

To clarify: that lats remark is in the context of the local cable broadband provider.

Charles, you are right. You can always stop it by making changes to your network. But, I am talking about the most general setup. The setup which works for most of the companies and is a requirement for some of them.

X-No-Archive: Yes

In the handful of states that have passed what are known as Super-DMCA laws, I could see a possibile criminal violation, but beyond that, I dont know. There are all kinds off stautes you can be violating now, and never even know it, which is obviously why he put the disclaimer there.